Add oidc_cm.yml

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
2026-04-13 12:29:46 +08:00 · 2019-05-25 02:49:41 +02:00
parent 2d2feeaa5f
commit 647efabd30
7 changed files with 33 additions and 0 deletions
--- a/files/communishift/objects/README.md
+++ b/files/communishift/objects/README.md
@@ -0,0 +1,7 @@
+Instructions
+------------
+
+The files in this directory are the configuration files for communishift to be applied.
+
+For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
+oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
--- a/files/communishift/objects/machineconfigs/README.md
+++ b/files/communishift/objects/machineconfigs/README.md
--- a/files/communishift/objects/machineconfigs/firewall.sh
+++ b/files/communishift/objects/machineconfigs/firewall.sh
--- a/files/communishift/objects/machineconfigs/mc_chrony.yml.template
+++ b/files/communishift/objects/machineconfigs/mc_chrony.yml.template
--- a/files/communishift/objects/machineconfigs/mc_firewall.yml.template
+++ b/files/communishift/objects/machineconfigs/mc_firewall.yml.template
--- a/files/communishift/objects/machineconfigs/to_data.sh
+++ b/files/communishift/objects/machineconfigs/to_data.sh
--- a/files/communishift/objects/oidc_cm.yml
+++ b/files/communishift/objects/oidc_cm.yml
@@ -0,0 +1,26 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+  - name: fedoraidp
+    login: true
+    challenge: false
+    mappingMethod: claim
+    type: OpenID
+    openID:
+      clientID: communishift
+      clientSecret:
+        name: fedoraidp-clientsecret
+      extraScopes:
+      - email
+      - profile
+      claims:
+        preferredUsername:
+        - nickname
+        name:
+        - name
+        email:
+        - email
+      issuer: https://id.fedoraproject.org