Merge pull request OCP-on-NERC#16 from larsks/feature/github-idp

Configure GitHub IDP and cluster-admin access
larsks · Jun 22, 2022 · 023c830 · 023c830
2 parents 969611b + 3a63cab
commit 023c830
Show file tree

Hide file tree

Showing 15 changed files with 113 additions and 0 deletions.
diff --git a/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml b/cluster-scope/base/config.openshift.io/oauths/cluster/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - oauth.yaml
diff --git a/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml b/cluster-scope/base/config.openshift.io/oauths/cluster/oauth.yaml
@@ -0,0 +1,9 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    release.openshift.io/create-only: "true"
+  name: cluster
diff --git a/...thorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/clusterrolebinding.yaml b/...thorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admins-nerc-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-reader
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: cluster-admins
diff --git a/...ac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/kustomization.yaml b/...ac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - clusterrolebinding.yaml
diff --git a/...thorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/clusterrolebinding.yaml b/...thorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admins-nerc-sudoer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sudoer
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: cluster-admins
diff --git a/...ac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/kustomization.yaml b/...ac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - clusterrolebinding.yaml
diff --git a/...e/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/clusterrolebinding.yaml b/...e/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/clusterrolebinding.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "false"
+  name: self-provisioners
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: self-provisioner
+subjects: []
diff --git a/...e/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/kustomization.yaml b/...e/base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - clusterrolebinding.yaml
diff --git a/cluster-scope/base/user.openshift.io/groups/cluster-admins/group.yaml b/cluster-scope/base/user.openshift.io/groups/cluster-admins/group.yaml
@@ -0,0 +1,5 @@
+apiVersion: user.openshift.io/v1
+kind: Group
+metadata:
+  name: cluster-admins
+users: []
diff --git a/cluster-scope/base/user.openshift.io/groups/cluster-admins/kustomization.yaml b/cluster-scope/base/user.openshift.io/groups/cluster-admins/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+    - group.yaml
diff --git a/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml b/cluster-scope/bundles/cluster-admin-rbac/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-sudoer
+- ../../base/rbac.authorization.k8s.io/clusterrolebindings/cluster-admins-nerc-reader
+- ../../base/user.openshift.io/groups/cluster-admins
diff --git a/cluster-scope/overlays/common/kustomization.yaml b/cluster-scope/overlays/common/kustomization.yaml
@@ -5,3 +5,6 @@ resources:
 - machineconfigs/99-worker-ssh.yaml
 - ../../base/operators.coreos.com/subscriptions/cert-manager
 - ../../base/operators.coreos.com/subscriptions/external-secrets-operator
+- ../../base/config.openshift.io/oauths/cluster
+- ../../base/rbac.authorization.k8s.io/clusterrolebindings/self-provisioners
+- ../../bundles/cluster-admin-rbac/
diff --git a/cluster-scope/overlays/nerc-ocp-infra/groups/cluster-admins_patch.yaml b/cluster-scope/overlays/nerc-ocp-infra/groups/cluster-admins_patch.yaml
@@ -0,0 +1,16 @@
+apiVersion: user.openshift.io/v1
+kind: Group
+metadata:
+  name: cluster-admins
+  annotations:
+    kustomize.config.k8s.io/behavior: replace
+users:
+- jtriley
+- larsks
+- tzumainn
+- chrisstafford
+- knikolla
+- aabaris
+- naved001
+- joachimweyl
+- mikthoma
diff --git a/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml b/cluster-scope/overlays/nerc-ocp-infra/kustomization.yaml
@@ -8,3 +8,7 @@ resources:
 - ../../bundles/acm
 - ../../bundles/odf
 - clusterversion.yaml
+
+patches:
+  - path: oauths/cluster_patch.yaml
+  - path: groups/cluster-admins_patch.yaml
diff --git a/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml b/cluster-scope/overlays/nerc-ocp-infra/oauths/cluster_patch.yaml
@@ -0,0 +1,15 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+    - name: github
+      mappingMethod: claim
+      type: GitHub
+      github:
+        clientID: 77915cd4cdb5c4df7723
+        clientSecret:
+          name: github-client-secret
+        teams:
+          - ocp-on-nerc/nerc-ops