# OpenShift Google OAuth Configuration Playbook This playbook configures Google as an identity provider for your OpenShift cluster and sets up the following RBAC permissions: - Cluster viewer role for any @container.mom email addresses ## Prerequisites 1. OpenShift cluster is accessible and you have admin permissions 2. Google Cloud Platform project with OAuth 2.0 credentials 3. Ansible Navigator installed (to avoid Python dependency issues) 4. Your cluster's kubeadmin password must be added to the Ansible Vault (see instructions below) ## Installing Ansible Navigator Ansible Navigator is a text-based user interface (TUI) for Ansible that uses execution environments (containers) to ensure all dependencies are available. ```bash # Install with pip pip install ansible-navigator # Verify installation ansible-navigator --version ``` ## Managing Cluster Credentials in Ansible Vault We store cluster credentials in a hierarchical structure in the Ansible Vault: ```yaml # Global settings global: registry_token: "your-github-container-registry-token" repo_token: "your-github-repo-access-token" test: mongodb_uri: "mongodb://user:pass@host:port/test-db" prod: mongodb_uri: "mongodb://user:pass@host:port/prod-db" # Region and cluster specific settings euw: hub: kubeadmin_password: "your-password-here" spoke1: kubeadmin_password: "another-password-here" use: hub: kubeadmin_password: "us-east-password-here" ``` To add a cluster's credentials to the vault, run: ```bash # From the ansible directory cd /home/josie/development/container-mom-go/ansible # Run the helper playbook ansible-playbook playbooks/add_cluster_to_vault.yml --ask-vault-pass ``` This interactive playbook will: 1. Prompt you for the cluster region (e.g., euw, use) 2. Prompt you for the cluster name (e.g., hub, spoke1) 3. Prompt you for the kubeadmin password 4. Add or update the credentials in the secrets.yml vault file If you need to manually edit the vault file: ```bash # View the vault file ansible-vault view secrets.yml # Edit the vault file ansible-vault edit secrets.yml ``` ## Setting Up Google OAuth Credentials 1. Go to the [Google Cloud Console](https://console.cloud.google.com/) 2. Create a new project or select an existing one 3. Navigate to "APIs & Services" > "Credentials" 4. Click "Create credentials" and select "OAuth client ID" 5. Set the application type to "Web application" 6. Set a name for your OAuth client 7. Add authorized redirect URIs: - https://oauth-openshift.apps.hub.euw.container.mom/oauth2callback/googleidp ## Setting Up GitHub Credentials for ArgoCD ArgoCD needs credentials to pull from private GitHub repositories: 1. The playbook uses the same GitHub Personal Access Token (PAT) that's used for container registry access 2. It's stored under the `registry_token` field in the `secrets.yml` file: ```yaml # Region and cluster specific section euw: hub: registry_token: "your-github-pat" # This token is used for both container registry and GitHub repo access ``` 3. The username is hardcoded to "pfeifferj" in the playbook ## Configuring the Playbook 1. Update the `secrets.yml` file with your Google OAuth credentials: ```yaml google_client_id: "YOUR_GOOGLE_CLIENT_ID" google_client_secret: "YOUR_GOOGLE_CLIENT_SECRET" ``` 2. Update the inventory file with the correct cluster region and name: ```yaml cluster_region: "euw" cluster_name: "hub" openshift_cluster_api: "https://api.hub.euw.container.mom:6443" ``` ## Running the Playbook Execute the playbook with Ansible Navigator: ```bash # From the ansible directory cd /home/josie/development/container-mom-go/ansible # Run in interactive mode ansible-navigator run -i inventories/hub_cluster.yml playbooks/configure_oauth_google.yml --ask-vault-pass # Or run in standard output mode ansible-navigator run -i inventories/hub_cluster.yml playbooks/configure_oauth_google.yml --ask-vault-pass -m stdout ``` ## Adding More Clusters To configure additional clusters: 1. Add the cluster credentials to the vault using the helper playbook 2. Create a new inventory file for the cluster (or copy an existing one) 3. Update the region, name, and API URL in the inventory file 4. Run the playbook with the new inventory file ```bash # Add cluster credentials ansible-playbook playbooks/add_cluster_to_vault.yml --ask-vault-pass # Create inventory file (e.g., for a spoke cluster) cp inventories/hub_cluster.yml inventories/spoke1_cluster.yml # Edit the new inventory file to update region, name, and API URL # Run the playbook with the new inventory ansible-navigator run -i inventories/spoke1_cluster.yml playbooks/configure_oauth_google.yml --ask-vault-pass ``` ## Verification After running the playbook: 1. Log in to the OpenShift web console 2. You should see "Log in with Google" as an option 3. The specified users should have the appropriate permissions ## Notes - The Google identity provider uses email address as the identity - Users logging in for the first time will have their identities created automatically - Group sync is not automatically configured - if needed, additional configuration is required - This approach makes it easy to onboard and manage multiple clusters