From b5063e54298002f44e65dca23720c6c515740033 Mon Sep 17 00:00:00 2001
From: He Liu <heli@redhat.com>
Date: Mon, 6 May 2024 15:43:00 +0800
Subject: [PATCH] enabel external oidc in capi

---
 ...s-private-release-4.15__amd64-nightly.yaml |  5 ++-
 ...rshift-extended-capi-provision-commands.sh | 45 ++++++++++++++++---
 ...ypershift-extended-capi-provision-ref.yaml | 10 +++++
 ...osa-aws-sts-hcp-capi-private-workflow.yaml |  4 +-
 4 files changed, 57 insertions(+), 7 deletions(-)

diff --git a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml
index 46422c5e41d6a..f7ebcfd123ebc 100644
--- a/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml
+++ b/ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.15__amd64-nightly.yaml
@@ -1054,7 +1054,10 @@ tests:
       TEST_FILTERS: ~ChkUpgrade&;~NonPreRelease&;~Serial&;~Disruptive&;~DisconnectedOnly&;~HyperShiftMGMT&;~MicroShiftOnly&;~NonHyperShiftHOST&;ROSA&
       TEST_IMPORTANCE: Critical
     test:
-    - chain: openshift-e2e-test-hypershift-qe
+    - ref: cucushift-hypershift-extended-health-check
+    - ref: openshift-extended-test
+    - ref: openshift-extended-web-tests
+    - ref: openshift-e2e-test-qe-report
     workflow: rosa-aws-sts-hcp-capi-private
 - as: aws-rosa-hcp-int-full-f7
   cron: 29 23 4,13,20,27 * *
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-commands.sh b/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-commands.sh
index 01569174645e3..fb3fb6f8e9f5d 100644
--- a/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-commands.sh
+++ b/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-commands.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-set -euo pipefail
+set -xeuo pipefail
 
 function retry() {
     local check_func=$1
@@ -72,6 +72,41 @@ function rosa_login() {
     oc create secret -n default generic rosa-creds-secret --from-literal=ocmToken="${ROSA_TOKEN}" --from-literal=ocmApiUrl="${ocm_api_url}"
 }
 
+function set_eternal_azure_oidc() {
+  ISSUER_URL="$(cat /var/run/hypershift-ext-oidc-app-cli/issuer-url)"
+  CLI_CLIENT_ID="$(cat /var/run/hypershift-ext-oidc-app-cli/client-id)"
+  CONSOLE_CLIENT_ID="$(cat /var/run/hypershift-ext-oidc-app-console/client-id)"
+  CONSOLE_CLIENT_SECRET="$(cat /var/run/hypershift-ext-oidc-app-console/client-secret)"
+  CONSOLE_CLIENT_SECRET_NAME=console-secret
+
+  oc -n default create secret generic ${CONSOLE_CLIENT_SECRET_NAME} --from-literal=clientSecret="${CONSOLE_CLIENT_SECRET}"
+
+  export EXTERNAL_AUTH_PROVIDERS="  externalAuthProviders:
+    - name: entra-id
+      issuer:
+        issuerURL: ${ISSUER_URL}
+        audiences:
+          - ${CONSOLE_CLIENT_ID}
+          - ${CLI_CLIENT_ID}
+      oidcClients:
+        - componentName: cli
+          componentNamespace: openshift-console
+          clientID: ${CLI_CLIENT_ID}
+        - componentName: console
+          componentNamespace: openshift-console
+          clientID: ${CONSOLE_CLIENT_ID}
+          clientSecret:
+            name: ${CONSOLE_CLIENT_SECRET_NAME}
+      claimMappings:
+        username:
+          claim: email
+          prefixPolicy:
+          prefix: \"oidc-user-test:\"
+        groups:
+          claim: groups
+          prefix: \"oidc-groups-test:\""
+}
+
 function export_envs() {
     # kubeconfig
     export KUBECONFIG="${SHARED_DIR}/kubeconfig"
@@ -208,10 +243,9 @@ ${ADDITIONAL_SECURITY_GROUPS_YAML}"
 
     export NODEPOOL_NAME="nodepool-0"
 
-#    # some other optional spec of rosacontrolplane
-#    export MACHINE_CIDR=${MACHINE_CIDR}
-#    export NETWORK_TYPE=${NETWORK_TYPE}
-#    export ENDPOINT_ACCESS=${ENDPOINT_ACCESS}
+    if [[ "${ENABLE_EXTERNAL_OIDC}" == "true" ]]; then
+      set_eternal_azure_oidc
+    fi
 }
 
 # main
@@ -260,6 +294,7 @@ kind: ROSAControlPlane
 metadata:
   name: "${CLUSTER_NAME}-control-plane"
 spec:
+${EXTERNAL_AUTH_PROVIDERS}
   rosaClusterName: ${CLUSTER_NAME:0:54}
   version: "${OPENSHIFT_VERSION}"
   region: "${AWS_REGION}"
diff --git a/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-ref.yaml b/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-ref.yaml
index 5973156fccae5..94b82be7c60a6 100644
--- a/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-ref.yaml
+++ b/ci-operator/step-registry/cucushift/hypershift-extended/capi/provision/cucushift-hypershift-extended-capi-provision-ref.yaml
@@ -9,6 +9,13 @@ ref:
     requests:
       cpu: 100m
       memory: 100Mi
+  credentials:
+    - mount_path: /var/run/hypershift-ext-oidc-app-cli
+      name: hypershift-ext-oidc-app-cli
+      namespace: test-credentials
+    - mount_path: /var/run/hypershift-ext-oidc-app-console
+      name: hypershift-ext-oidc-app-console
+      namespace: test-credentials
   env:
     - name: OCM_LOGIN_ENV
       default: "staging"
@@ -73,6 +80,9 @@ ref:
     - name: CLUSTER_SECTOR
       default: ""
       documentation: Sector groups a set of service clusters for HCP. The supported values are [canary, main].
+    - name: ENABLE_EXTERNAL_OIDC
+      default: "false"
+      documentation: Enable external OIDC.
     - name: NODE_DRAIN_GRACE_PERIOD
       default: ""
       documentation: |-
diff --git a/ci-operator/step-registry/rosa/aws/sts/hcp/capi-private/rosa-aws-sts-hcp-capi-private-workflow.yaml b/ci-operator/step-registry/rosa/aws/sts/hcp/capi-private/rosa-aws-sts-hcp-capi-private-workflow.yaml
index 47a516670b04e..8d4ec774c0b47 100644
--- a/ci-operator/step-registry/rosa/aws/sts/hcp/capi-private/rosa-aws-sts-hcp-capi-private-workflow.yaml
+++ b/ci-operator/step-registry/rosa/aws/sts/hcp/capi-private/rosa-aws-sts-hcp-capi-private-workflow.yaml
@@ -17,6 +17,7 @@ workflow:
       DEFAULT_MP_MAX_REPLICAS: 6
       DEFAULT_MP_MIN_REPLICAS: 3
       NODE_DRAIN_GRACE_PERIOD: "10m"
+      ENABLE_EXTERNAL_OIDC: "true"
     pre:
     - chain: cucushift-installer-rehearse-aws-ipi-ovn-provision
     - ref: aws-provision-vpc-shared
@@ -34,8 +35,9 @@ workflow:
     - ref: rosa-cluster-notify-error
     - ref: rosa-cluster-wait-ready-operators
     - ref: aws-provision-tags-for-byo-vpc
-    - ref: osd-ccs-conf-idp-htpasswd-multi-users
     - ref: rosa-cluster-wait-ready-nodes
+    - ref: openshift-extended-web-tests-ext-oidc-cli-login
+    - ref: cucushift-hypershift-extended-external-oidc-grant-user-role
     - ref: cucushift-hypershift-extended-capi-health-check
     post:
       - ref: cucushift-hypershift-extended-capi-deprovision