[minor] gitops: automated configtool oidc registration

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-12-17T09:42:21Z",
+  "generated_at": "2025-01-14T17:01:44Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -152,7 +152,7 @@
         "hashed_secret": "b6f30c2855008e26d901927d33cfcb970c62fe00",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 264,
+        "line_number": 281,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -344,7 +344,7 @@
         "hashed_secret": "b2817467154949a61f8e9ad31d1eeaf03221cbfa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 450,
+        "line_number": 510,
         "type": "Secret Keyword",
         "verified_result": null
       }

image/cli/mascli/functions/configtool_oidc

@@ -36,8 +36,11 @@ So far only trust ui prefix is supported to update. Same as register command.
 ${COLOR_YELLOW}### mas oidc [-h|--help]${TEXT_RESET}
 Show this help message
 
-${COLOR_YELLOW}4. Options for command${TEXT_RESET}
-Cluster Credentials (Required):
+OAuth Admin Credentials (Optional)
+  ${COLOR_YELLOW}OAUTH_ADMIN_USERNAME${TEXT_RESET}.                       If not set, the script will attempt to retrieve this from the {INSTANCE_NAME}-credentials-oauth-admin secret in the mas core namespace
+  ${COLOR_YELLOW}OAUTH_ADMIN_PWD${TEXT_RESET}.                            If not set, the script will attempt to retrieve this from the {INSTANCE_NAME}-credentials-oauth-admin secret in the mas core namespace
+
+Cluster Credentials (Required unless both OAUTH_ADMIN_USERNAME and OAUTH_ADMIN_PWD env vars are set):
   -t, --token ${COLOR_YELLOW}CLUSTER_TOKEN${TEXT_RESET}                     Cluster's token
   -s, --server ${COLOR_YELLOW}CLUSTER_SERVER${TEXT_RESET}                   Cluster server
 
@@ -81,9 +84,12 @@ function configtool_oidc_noninteractive() {
       esac
   done
 
-  # check all args have been set
-  [[ -z "$CLUSTER_TOKEN" ]] && configtool_oidc_help "CLUSTER_TOKEN is not set"
-  [[ -z "$CLUSTER_SERVER" ]] && configtool_oidc_help "CLUSTER_SERVER is not set"
+
+  if [[ -z "$OAUTH_ADMIN_USERNAME" || -z "$OAUTH_ADMIN_PWD" ]]; then
+    [[ -z "$CLUSTER_TOKEN" ]] && configtool_oidc_help "CLUSTER_TOKEN must be set if either OAUTH_ADMIN_USERNAME or OAUTH_ADMIN_PWD env vars are not provided"
+    [[ -z "$CLUSTER_SERVER" ]] && configtool_oidc_help "CLUSTER_SERVER must be set if either OAUTH_ADMIN_USERNAME or OAUTH_ADMIN_PWD env vars are not provided"
+  fi
+
   [[ -z "$MAS_HOME" ]] && configtool_oidc_help "MAS_HOME is not set"
   [[ -z "$TRUST_UI_PREFIX" ]] && configtool_oidc_help "TRUST_UI_PREFIX is not set"
 }
@@ -145,15 +151,11 @@ function configtool_oidc() {
   export TRUST_UI_PREFIX
   export MAS_INSTANCE_ID
 
-  # login cluster
-  echo Login $CLUSTER_SERVER...
-  oc login --token=$CLUSTER_TOKEN --server=$CLUSTER_SERVER
-
   # instance name and domain
   echo preparing for $MAS_HOME...
   if [[ -z $MAS_HOME ]]; then
     echo "${COLOR_RED}MAS_HOME must be provided and not empty. sample: export MAS_HOME=\"masdev.home.mobfound1.masdev.suite.maximo.com\"${TEXT_RESET}"
-    exit 0
+    exit 1
   fi
   MAS_PARTS=(`echo $MAS_HOME | tr "." " "`)
   DOT="."
@@ -173,7 +175,7 @@ function configtool_oidc() {
   done
   if [[ $i -lt 4 ]]; then
     echo "${COLOR_RED}MAS_HOME is incorrect. sample: \"masdev.home.mobfound1.masdev.suite.maximo.com\"${TEXT_RESET}"
-    exit 0
+    exit 1
   fi
 
   # OAUTH information
@@ -186,18 +188,33 @@ function configtool_oidc() {
   if [[ ! -z $MAS_INSTANCE_ID ]]; then
     INSTANCE_NAME=$MAS_INSTANCE_ID
   fi
-  echo "entering mas-${INSTANCE_NAME}-core project"
-  oc project mas-${INSTANCE_NAME}-core
-  OAUTH_ADMIN_USERNAME=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-username']}" | base64 -d`
-  OAUTH_ADMIN_PWD=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-password']}" | base64 -d`
+
+
+  # lookup oauth admin credentials from k8s secret if either were not specified as environment vars
+  if [[ -z "$OAUTH_ADMIN_USERNAME" || -z "$OAUTH_ADMIN_PWD" ]]; then
+    echo Login $CLUSTER_SERVER...
+    oc login --token=$CLUSTER_TOKEN --server=$CLUSTER_SERVER
+    echo "Entering mas-${INSTANCE_NAME}-core project"
+    oc project mas-${INSTANCE_NAME}-core
+    if [[ -z "${OAUTH_ADMIN_USERNAME}" ]]; then
+      echo "Lookup ${INSTANCE_NAME}-credentials-oauth-admin / oauth-admin-username"
+      OAUTH_ADMIN_USERNAME=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-username']}" | base64 -d`
+    fi
+    if [[ -z "${OAUTH_ADMIN_PWD}" ]]; then
+      echo "Lookup ${INSTANCE_NAME}-credentials-oauth-admin / oauth-admin-password"
+      OAUTH_ADMIN_PWD=`oc get secret ${INSTANCE_NAME}-credentials-oauth-admin -o jsonpath="{.data['oauth-admin-password']}" | base64 -d`
+    fi
+  fi
 
   # unregister
   echo checking if $CLIENT_CONFIGTOOL existed
   status_code=`curl -k -w %{http_code} -s -o /dev/null -I --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD -H 'Content-Type: application/json' $OAUTH_URL_CONFIGTOOL`
   echo "status_code: $status_code"
   echo running $OIDC_OP
   if [[ "$status_code" -eq 200 ]] ; then
-    curl -k -w %{http_code} -s -o /dev/null -I --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD -H 'Content-Type: application/json' -X DELETE $OAUTH_URL_CONFIGTOOL
+    curl --fail -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD \
+      -H 'Content-Type: application/json' \
+      -X DELETE $OAUTH_URL_CONFIGTOOL || exit $?
     echo ""
     if [[ "$OIDC_OP" == "unregister" ]]; then
       echo "$OIDC_OP" Client $CLIENT_CONFIGTOOL.
@@ -210,19 +227,19 @@ function configtool_oidc() {
     fi
   else
     echo Some issue occurred in MAS OIDC server. Please try again later.
-    exit 0
+    exit 1
   fi
 
   # trust ui prefix
   echo TRUST_UI_PREFIX: $TRUST_UI_PREFIX
   if [[ -z $TRUST_UI_PREFIX ]]; then
     echo "${COLOR_RED}TRUST_UI_PREFIX must be provided and not empty. sample: export TRUST_UI_PREFIX=\"http://localhost:3000,http://localhost:3001\"${TEXT_RESET}"
-    exit 0
+    exit 1
   fi
   TRUST_UI_PARTS=(`echo $TRUST_UI_PREFIX | tr "," " "`)
   if [[ ${#TRUST_UI_PARTS[@]} -eq 0 ]]; then
     echo "${COLOR_RED}TRUST_UI_PREFIX is empty, at least define one URL. \"http://localhost:3000\"${TEXT_RESET}"
-    exit 0
+    exit 1
   fi
   CALLBACK="/auth/callback"
   TRUST_UIS="["
@@ -245,7 +262,7 @@ function configtool_oidc() {
   # register or update (the same as register)
   if [[ "$OIDC_OP" == "register" || "$OIDC_OP" == "update" ]]; then
     echo "$OIDC_OP" Client $CLIENT_CONFIGTOOL.
-    curl -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD \
+    curl --fail -k --user $OAUTH_ADMIN_USERNAME:$OAUTH_ADMIN_PWD \
     -H 'Accept: application/json' \
     -H 'Content-type: application/json' \
     -X POST $OAUTH_URL \
@@ -277,6 +294,6 @@ function configtool_oidc() {
 "redirect_uris": $REDIRECT_UIS
 }
 EOF
-)
+) || exit $?
   fi
 }

image/cli/mascli/functions/gitops_suite

@@ -76,6 +76,12 @@ IBM Maximo Application Suite:
 
       --mas-wipe-mongo-data ${COLOR_YELLOW}MAS_WIPE_MONGO_DATA${TEXT_RESET}           Set to "true" to wipe all mongo data for this MAS instance on uninstall (optional, defaults to false)
 
+      --oidc-config ${COLOR_YELLOW}OIDC_CONFIG${TEXT_RESET} YAML string for defining the OpenID clients (OIDC) that will be registered automatically after the suite is installed.
+        Currently supported:
+          "configtool" client suitable to use by the Maximo Application Framework (MAF) configurator tool. Specify as follows:
+            --oidc-config '{"configtool": {"trusted_uri_prefixes": ["https://example.com:443", "https://otherexample.com:8443"]}}'
+
+            "trusted_uri_prefixes" field is optional, defaults to ["http://localhost:3000", "http://localhost:3001", "http://localhost:3006"]
 
 Target Cluster (Optional):
       --cluster-url ${COLOR_YELLOW}CLUSTER_URL${TEXT_RESET}       Set to target a remote Kubernetes cluster (defaults to 'https://kubernetes.default.svc')
@@ -289,6 +295,11 @@ function gitops_suite_noninteractive() {
         export OVERRIDE_EDGE_CERTS=$1 && shift
         ;;
 
+      --oidc-config)
+        export OIDC_CONFIG=$1 && shift
+        ;;
+
+
       # Automatic GitHub Push
       -P|--github-push)
         export GITHUB_PUSH=true
@@ -355,6 +366,54 @@ function gitops_suite_noninteractive() {
     [[ -z "$GIT_BRANCH" ]] && gitops_suite_help "GIT_BRANCH is not set"
   fi
 
+  if [[ -n "${OIDC_CONFIG}" ]]; then
+
+    # Validate any OIDC_CONFIG passed in
+    export OIDC_CONFIG_YAML
+    OIDC_CONFIG_YAML=$(echo $OIDC_CONFIG | yq -P) || gitops_suite_help "OIDC_CONFIG is not valid YAML"
+
+    # Check configtool is the only top-level key
+    # If we add more supported keys in future, add to the filter expression as such: filter(. != "configtool" and . != "otherkey")
+    echo "${OIDC_CONFIG_YAML}" | yq eval  --exit-status=1 \
+      'keys | filter(. != "configtool" ) |  length == 0' \
+      1> /dev/null 2>&1 \
+      || gitops_suite_help "OIDC_CONFIG is invalid; only the 'configtool' key is supported at the top-level"
+
+    # If configtool is specified, check that "trusted_uri_prefixes" is the only child key
+    # If we add more supported keys in future, add to the filter expression as such: filter(. != "trusted_uri_prefixes" and . != otherkey)
+    echo "${OIDC_CONFIG_YAML}" | yq eval  --exit-status=1 \
+      '(. | has("configtool")) == false or 
+       (.configtool | keys | filter(. != "trusted_uri_prefixes") | length == 0)' \
+      1> /dev/null 2>&1 \
+      || gitops_suite_help "OIDC_CONFIG is invalid,; only the 'trusted_uri_properties' key is supported under 'configtool'"
+
+    # if specified, .configtool.trusted_uri_prefixes must be an array
+    echo "${OIDC_CONFIG_YAML}" | yq eval  --exit-status=1 \
+      '(. | has("configtool")) == false or 
+       (.configtool | has("trusted_uri_prefixes")) == false or 
+       (.configtool.trusted_uri_prefixes | type == "!!seq")' \
+      1> /dev/null 2>&1 \
+      || gitops_suite_help "OIDC_CONFIG is invalid; if specified, the value of 'configtool.trusted_uri_properties' must be an array"
+
+    # if specified, all elements of .configtool.trusted_uri_prefixes must be an array containing only strings
+    echo "${OIDC_CONFIG_YAML}" | yq eval  --exit-status=1 \
+      '(. | has("configtool")) == false or
+       (.configtool | has("trusted_uri_prefixes")) == false or
+       (.configtool.trusted_uri_prefixes | length == 0) or
+       (.configtool.trusted_uri_prefixes.[] | type == "!!str") as $item ireduce (true; . and $item)' \
+       1> /dev/null 2>&1 \
+       || gitops_suite_help "OIDC_CONFIG is invalid; if specified, the value of 'configtool.trusted_uri_properties' must be an array containing only strings"
+
+    # if no trusted_uri_prefixes field specified under configtool, set some defaults
+    if $(echo "${OIDC_CONFIG_YAML}" | yq eval --exit-status=1 \
+      '(. | has("configtool")) == true and
+       (.configtool | has("trusted_uri_prefixes")) == false' \
+       1> /dev/null 2>&1); then
+      OIDC_CONFIG_YAML=$(echo "${OIDC_CONFIG_YAML}" | yq '.configtool.trusted_uri_prefixes = ["http://localhost:3000","http://localhost:3001","http://localhost:3006"]')
+    fi
+
+  fi
+
 }
 
 function gitops_suite() {
@@ -438,6 +497,7 @@ function gitops_suite() {
   echo_reset_dim "Cert Manager Namespace ......... ${COLOR_MAGENTA}${CERT_MANAGER_NAMESPACE}"
   echo_reset_dim "DNS Provider ................... ${COLOR_MAGENTA}${DNS_PROVIDER}"
   echo_reset_dim "Pod Template YAML File  ........ ${COLOR_MAGENTA}${MAS_POD_TEMPLATE_YAML}"
+  echo_reset_dim "OIDC Config .................... ${COLOR_MAGENTA}${OIDC_CONFIG}"
   reset_colors
 
   if [[ -n "$DNS_PROVIDER" ]]; then

image/cli/mascli/templates/gitops/appset-configs/cluster/instance/ibm-mas-suite.yaml.j2

@@ -77,3 +77,8 @@ ibm_mas_suite:
   mas_pod_templates:
     {{ MAS_POD_TEMPLATE | indent(4) }}
 {% endif %}
+
+{% if OIDC_CONFIG_YAML is defined and OIDC_CONFIG_YAML !='' %}
+  oidc:
+    {{ OIDC_CONFIG_YAML | indent(4) }}
+{% endif %}

tekton/src/pipelines/gitops/gitops-mas-instance.yml.j2

@@ -194,6 +194,11 @@ spec:
     - name: sls_license_icn
       type: string
 
+    # oidc parameters
+    # ------------------------------------------------------------------------- 
+    - name: oidc
+      type: string
+
   tasks:
 
     # 0. Per-instance DB2U Operator
@@ -382,6 +387,8 @@ spec:
           value: $(params.mas_pod_template_yaml)
         - name: mas_wipe_mongo_data
           value: $(params.mas_wipe_mongo_data)
+        - name: oidc
+          value: $(params.oidc)
       taskRef:
         kind: Task
         name: gitops-suite

tekton/src/tasks/gitops/gitops-suite.yml.j2

@@ -122,6 +122,8 @@ spec:
     - name: mas_wipe_mongo_data
       type: string
       default: "false"
+    - name: oidc
+      type: string
   stepTemplate:
     name: gitops-suite
     env:
@@ -217,6 +219,9 @@ spec:
         value: $(params.mas_pod_template_yaml)
       - name: MAS_WIPE_MONGO_DATA
         value: $(params.mas_wipe_mongo_data)
+
+      - name: OIDC_CONFIG
+        value: $(params.oidc)
     envFrom:
       - configMapRef:
           name: environment-properties