--- # Tasks for OAuth configuration # Generate OAuth client secret - name: Generate random OAuth client secret ansible.builtin.set_fact: oauth_client_secret: "{{ lookup('password', '/dev/null chars=ascii_letters,digits length=32') }}" # Create OpenShift OAuth client for ArgoCD - name: Create OpenShift OAuth client kubernetes.core.k8s: state: present definition: apiVersion: oauth.openshift.io/v1 kind: OAuthClient metadata: name: "{{ argocd_oauth_client_name }}" secret: "{{ oauth_client_secret }}" redirectURIs: - "https://argocd.apps.{{ cluster_name }}.{{ cluster_region }}.container.mom/api/dex/callback" - "https://wkl-argocd.apps.{{ cluster_name }}.{{ cluster_region }}.container.mom/api/dex/callback" grantMethod: auto kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" # Store OAuth client details as facts - name: Store OAuth client details as facts ansible.builtin.set_fact: argocd_client_id: "{{ argocd_oauth_client_name }}" argocd_client_secret: "{{ oauth_client_secret }}" # Update existing OAuth client in case of redeployment - name: Check if OAuth client exists kubernetes.core.k8s_info: api_version: oauth.openshift.io/v1 kind: OAuthClient name: "{{ argocd_oauth_client_name }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" register: existing_oauth_client ignore_errors: true - name: Update existing OAuth client redirectURIs kubernetes.core.k8s: state: present definition: apiVersion: oauth.openshift.io/v1 kind: OAuthClient metadata: name: "{{ argocd_oauth_client_name }}" secret: "{{ existing_oauth_client.resources[0].secret }}" redirectURIs: - "https://argocd.apps.{{ cluster_name }}.{{ cluster_region }}.container.mom/api/dex/callback" - "https://wkl-argocd.apps.{{ cluster_name }}.{{ cluster_region }}.container.mom/api/dex/callback" grantMethod: auto kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" when: - existing_oauth_client.resources is defined - existing_oauth_client.resources | length > 0 # Configure Google as identity provider - name: Create Google OAuth secret kubernetes.core.k8s: state: present definition: apiVersion: v1 kind: Secret metadata: name: google-secret namespace: openshift-config type: Opaque stringData: clientSecret: "{{ vars[cluster_region][cluster_name]['google_client_secret'] | default('') }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" when: vars[cluster_region][cluster_name]['google_client_secret'] is defined - name: Configure OAuth for Google identity provider kubernetes.core.k8s: state: present definition: apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: googleidp mappingMethod: claim type: Google google: clientID: "{{ vars[cluster_region][cluster_name]['google_client_id'] | default('') }}" clientSecret: name: google-secret hostedDomain: "{{ google_hosted_domain }}" kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" when: vars[cluster_region][cluster_name]['google_client_id'] is defined # Enable the RouteExternalCertificate feature - name: Enable RouteExternalCertificate feature gate kubernetes.core.k8s: state: present definition: apiVersion: config.openshift.io/v1 kind: FeatureGate metadata: name: cluster spec: featureSet: CustomNoUpgrade customNoUpgrade: enabled: - RouteExternalCertificate kubeconfig: "{{ k8s_auth_params.kubeconfig }}" validate_certs: "{{ k8s_auth_params.validate_certs }}" register: feature_gate_result - name: Wait for feature gate to be applied ansible.builtin.pause: seconds: 60 when: feature_gate_result.changed | bool