# OpenShift Google OAuth Configuration Playbook This playbook configures Google as an identity provider for your OpenShift cluster and sets up the following RBAC permissions: - Cluster viewer role for any @container.mom email addresses ## Prerequisites 1. OpenShift cluster is accessible and you have admin permissions 2. Google Cloud Platform project with OAuth 2.0 credentials 3. Ansible Navigator installed (to avoid Python dependency issues) 4. Your cluster's kubeadmin password must be added to the Ansible Vault (see instructions below) ## Installing Ansible Navigator Ansible Navigator is a text-based user interface (TUI) for Ansible that uses execution environments (containers) to ensure all dependencies are available. ```bash # Install with pip pip install ansible-navigator # Verify installation ansible-navigator --version ``` ## Managing Cluster Credentials in Ansible Vault We store cluster credentials in a hierarchical structure in the Ansible Vault: ```yaml # Global settings global: registry_token: "your-github-container-registry-token" repo_token: "your-github-repo-access-token" test: mongodb_uri: "mongodb://user:pass@host:port/test-db" prod: mongodb_uri: "mongodb://user:pass@host:port/prod-db" # Region and cluster specific settings euw: hub: kubeadmin_password: "your-password-here" spoke1: kubeadmin_password: "another-password-here" use: hub: kubeadmin_password: "us-east-password-here" ``` To add a cluster's credentials to the vault, run: ```bash # From the ansible directory cd /home/josie/development/container-mom-go/ansible # Run the helper playbook ansible-playbook playbooks/add_cluster_to_vault.yml --ask-vault-pass ``` This interactive playbook will: 1. Prompt you for the cluster region (e.g., euw, use) 2. Prompt you for the cluster name (e.g., hub, spoke1) 3. Prompt you for the kubeadmin password 4. Add or update the credentials in the secrets.yml vault file If you need to manually edit the vault file: ```bash # View the vault file ansible-vault view secrets.yml # Edit the vault file ansible-vault edit secrets.yml ``` ## Setting Up Google OAuth Credentials 1. Go to the [Google Cloud Console](https://console.cloud.google.com/) 2. Create a new project or select an existing one 3. Navigate to "APIs & Services" > "Credentials" 4. Click "Create credentials" and select "OAuth client ID" 5. Set the application type to "Web application" 6. Set a name for your OAuth client 7. Add authorized redirect URIs: - https://oauth-openshift.apps.hub.euw.container.mom/oauth2callback/googleidp ## Setting Up GitHub Credentials for ArgoCD ArgoCD needs credentials to pull from private GitHub repositories: 1. The playbook uses the GitHub Personal Access Token (PAT) stored in the global settings 2. It's stored in the `global.repo_token` field in the `secrets.yml` file 3. The username is hardcoded to "pfeifferj" in the playbook 4. The container registry uses the token stored in `global.registry_token` (can be the same token with appropriate scopes) ## Deployment Environments The playbook sets up two deployment environments: 1. **Production environment** (`container-mom-system` namespace): - Uses the production MongoDB database from `global.prod.mongodb_uri` - Will be configured to use the stable version of the operator 2. **Test environment** (`container-mom-system-test` namespace): - Uses the test MongoDB database from `global.test.mongodb_uri` - Will be configured to use the latest version of the operator - Useful for testing new features before promoting to production ## Configuring the Playbook 1. Update the `