fedora-infra / ansible

Clone
Source Code
GIT

#1495 koji_builder: switch the koji-osbuild token URL to the unified SSO
Merged 2 years ago by kevin. Opened 2 years ago by obudai.
fedora-infra/ obudai/ansible change-auth-url  into  main

file modified
+1 -1 
@@ -4,7 +4,7 @@ 
 

  [composer:oauth]
 

  client_id = {{koji_builder_client_id}}
 

  client_secret = {{koji_builder_client_secret}}
 

- token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
 

+ token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 

  

  [koji]
 

  server = https://koji.fedoraproject.org/kojihub

file modified
+1 -1 
@@ -4,7 +4,7 @@ 
 

  [composer:oauth]
 

  client_id = {{koji_builder_client_id_stg}}
 

  client_secret = {{koji_builder_client_secret_stg}}
 

- token_url = https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token
 

+ token_url = https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
 

  

  [koji]
 

  server = https://koji.stg.fedoraproject.org/kojihub

file modified
+2 -5 
@@ -19,10 +19,8 @@ 
 

       /usr/sbin/ipset add osbuildapi $j
 

  done
 

  

- {% if env == 'staging' %}
 

- # in stg we need to add identity.api because we are using api.stage above. 

- # in prod this is already the same as api.openshift.com, so skip it.
 

- RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query identity.api.openshift.com 2> /dev/null`
 

+ # both stage and prod authenticate using sso.redhat.com
 

+ RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query sso.redhat.com 2> /dev/null`
 

  test $? -eq 0 || exit $?
 

  

  NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n`
 
@@ -31,4 +29,3 @@ 
 

  do
 

       /usr/sbin/ipset add osbuildapi $j
 

  done
 

- {% endif %}

identity.api.openshift.com was shut down several hours ago. The plugin now
needs to use sso.redhat.com instead.

This commit adjusts the token URL and the script that pokes holes in the
firewall for selected domains.

Looks reasonable to me.

Pull-Request has been merged by kevin
2 years ago
Metadata
None
No Tags
Changes Summary 3
+1 -1
file changed
roles/koji_builder/templates/builder.conf
+1 -1
file changed
roles/koji_builder/templates/builder.conf.stg
+2 -5
file changed
roles/koji_builder/templates/osbuildapi-update.sh
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.