# OpenShift Google OAuth Configuration Playbook

This playbook configures Google as an identity provider for your OpenShift cluster and sets up the following RBAC permissions:

- Cluster viewer role for any @container.mom email addresses

## Prerequisites

1. OpenShift cluster is accessible and you have admin permissions
2. Google Cloud Platform project with OAuth 2.0 credentials
3. Ansible Navigator installed (to avoid Python dependency issues)
4. Your cluster's kubeadmin password must be added to the Ansible Vault (see instructions below)

## Installing Ansible Navigator

Ansible Navigator is a text-based user interface (TUI) for Ansible that uses execution environments (containers) to ensure all dependencies are available.

```bash
# Install with pip
pip install ansible-navigator

# Verify installation
ansible-navigator --version
```

## Managing Cluster Credentials in Ansible Vault

We store cluster credentials in a hierarchical structure in the Ansible Vault:

```yaml
# Global settings
global:
  registry_token: "your-github-container-registry-token"
  repo_token: "your-github-repo-access-token"
  test:
    mongodb_uri: "mongodb://user:pass@host:port/test-db"
  prod:
    mongodb_uri: "mongodb://user:pass@host:port/prod-db"

# Region and cluster specific settings
euw:
  hub:
    kubeadmin_password: "your-password-here"
  spoke1:
    kubeadmin_password: "another-password-here"
use:
  hub:
    kubeadmin_password: "us-east-password-here"
```

To add a cluster's credentials to the vault, run:

```bash
# From the ansible directory
cd /home/josie/development/container-mom-go/ansible

# Run the helper playbook
ansible-playbook playbooks/add_cluster_to_vault.yml --ask-vault-pass
```

This interactive playbook will:
1. Prompt you for the cluster region (e.g., euw, use)
2. Prompt you for the cluster name (e.g., hub, spoke1)
3. Prompt you for the kubeadmin password
4. Add or update the credentials in the secrets.yml vault file

If you need to manually edit the vault file:
```bash
# View the vault file
ansible-vault view secrets.yml

# Edit the vault file
ansible-vault edit secrets.yml
```

## Setting Up Google OAuth Credentials

1. Go to the [Google Cloud Console](https://console.cloud.google.com/)
2. Create a new project or select an existing one
3. Navigate to "APIs & Services" > "Credentials"
4. Click "Create credentials" and select "OAuth client ID"
5. Set the application type to "Web application"
6. Set a name for your OAuth client
7. Add authorized redirect URIs:
   - https://oauth-openshift.apps.hub.euw.container.mom/oauth2callback/googleidp

## Setting Up GitHub Credentials for ArgoCD

ArgoCD needs credentials to pull from private GitHub repositories:

1. The playbook uses the GitHub Personal Access Token (PAT) stored in the global settings
2. It's stored in the `global.repo_token` field in the `secrets.yml` file
3. The username is hardcoded to "pfeifferj" in the playbook
4. The container registry uses the token stored in `global.registry_token` (can be the same token with appropriate scopes)

## Deployment Environments

The playbook sets up two deployment environments:

1. **Production environment** (`container-mom-system` namespace):
   - Uses the production MongoDB database from `global.prod.mongodb_uri`
   - Will be configured to use the stable version of the operator

2. **Test environment** (`container-mom-system-test` namespace):
   - Uses the test MongoDB database from `global.test.mongodb_uri`
   - Will be configured to use the latest version of the operator
   - Useful for testing new features before promoting to production

## Configuring the Playbook

1. Update the `secrets.yml` file with your Google OAuth credentials:
   ```yaml
   euw:
     hub:
       google_client_id: "YOUR_GOOGLE_CLIENT_ID"
       google_client_secret: "YOUR_GOOGLE_CLIENT_SECRET"
   ```

2. Update the inventory file with the correct cluster region and name:
   ```yaml
   cluster_region: "euw"
   cluster_name: "hub"
   openshift_cluster_api: "https://api.hub.euw.container.mom:6443"
   ```

## Running the Playbook

Execute the playbook with Ansible Navigator:

```bash
# From the ansible directory
cd /home/josie/development/container-mom-go/ansible

# Use the recommended role-based playbook
ansible-navigator run -i inventories/hub_cluster.yml playbooks/cluster_deploy_roles.yml --ask-vault-pass

# Or run in standard output mode
ansible-navigator run -i inventories/hub_cluster.yml playbooks/cluster_deploy_roles.yml --ask-vault-pass -m stdout
```

> **Note:** The `cluster_day2.yml` playbook is deprecated and will be removed in a future update. Please use the `cluster_deploy_roles.yml` playbook instead, which organizes functionality into reusable roles.

## Available Playbooks

1. **cluster_deploy_roles.yml** - Main playbook for setting up OpenShift clusters using roles
   - Handles all aspects of cluster configuration (OAuth, RBAC, GitOps, etc.)
   - Uses modular roles for better maintainability and flexibility
   - Recommended for all new deployments

2. **wkl_provision.yml** - Provisions workload-specific resources
   - Used for setting up specific workloads after cluster configuration

3. **cleanup.yml** - Removes deployed resources
   - Useful for cleanup and redeployment scenarios

4. **dns.yml** - Configures DNS settings
   - Handles domain name configuration

## Adding More Clusters

To configure additional clusters:

1. Add the cluster credentials to the vault using the helper playbook
2. Create a new inventory file for the cluster (or copy an existing one)
3. Update the region, name, and API URL in the inventory file
4. Run the playbook with the new inventory file

```bash
# Add cluster credentials
ansible-playbook playbooks/add_cluster_to_vault.yml --ask-vault-pass

# Create inventory file (e.g., for a spoke cluster)
cp inventories/hub_cluster.yml inventories/spoke1_cluster.yml

# Edit the new inventory file to update region, name, and API URL

# Run the playbook with the new inventory
ansible-navigator run -i inventories/spoke1_cluster.yml playbooks/configure_oauth_google.yml --ask-vault-pass
```

## Verification

After running the playbook:

1. Log in to the OpenShift web console
2. You should see "Log in with Google" as an option
3. The specified users should have the appropriate permissions

## Notes

- The Google identity provider uses email address as the identity
- Users logging in for the first time will have their identities created automatically
- Group sync is not automatically configured - if needed, additional configuration is required
- This approach makes it easy to onboard and manage multiple clusters

## Namespace and Secret Management

The `namespace_setup` role creates all required namespaces and initializes secrets:

- System namespaces (container-mom-system, container-mom-portal, etc.)
- Test namespaces (container-mom-system-test, container-mom-portal-test, etc.)
- Registry secrets for pulling container images
- Container Mom Portal secrets and configuration:
  - Authentication settings (Auth0 and basic auth)
  - Environment-specific configurations
  - Secure password management through Ansible Vault

To update these secrets, simply edit your encrypted secrets.yml file to include the environment-specific `container_mom_portal` sections:

```yaml
# In your secrets.yml file
global:
  # Other global settings...

  # Production environment
  prod:
    container_mom_portal:
      auth0:
        domain: "dev-a3o2jif0.us.auth0.com"
        client_id: "your_prod_auth0_client_id"
        client_secret: "your_prod_auth0_client_secret"
        secret: "your_prod_auth0_secret"
      basic_auth:
        enabled: false  # Disabled by default in production
        password: "strong-password"  # Still stored for manual enabling

  # Test environment
  test:
    container_mom_portal:
      auth0:
        domain: "dev-a3o2jif0.us.auth0.com"
        client_id: "your_test_auth0_client_id"  # Can differ from production
        client_secret: "your_test_auth0_client_secret"
        secret: "your_test_auth0_secret"
      basic_auth:
        enabled: true  # Enabled by default in test environment
        password: "another-strong-password"
```

This environment-based organization allows for different configurations in production and test environments, including:

- Different Auth0 credentials per environment
- Basic auth enabled by default only in test environments
- Separate passwords for each environment
- Consistent with how other secrets are organized

**Important:** The basic auth password is stored in the encrypted `secrets.yml` file and is only enabled in test environments by default.