diff --git a/dp-terraform/osd-cluster-idp-setup.sh b/dp-terraform/osd-cluster-idp-setup.sh index e5745058c..94c33e399 100755 --- a/dp-terraform/osd-cluster-idp-setup.sh +++ b/dp-terraform/osd-cluster-idp-setup.sh @@ -7,17 +7,13 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" source "$SCRIPT_DIR/../scripts/lib/external_config.sh" if [[ $# -ne 2 ]]; then - echo "Usage: $0 [environment] [cluster] [admin-user-name]" >&2 + echo "Usage: $0 [environment] [cluster]" >&2 echo "Known environments: integration stage prod" echo "Cluster typically looks like: acs-{env}-dp-01" - echo "admin-user-name should be the RH SSO OIDC user name of the person running this script" echo "Description: This script will create identity providers for the OSD cluster:" echo "- OIDC provider using auth.redhat.com" echo "See additional documentation in docs/development/setup-osd-cluster-idp.md" echo - echo "It will NOT create a ServiceAccount for the data plane continuous deployment." - echo "See the cd-robot-account-setup.sh for that." - echo echo "Note: you need to be logged into OCM for your environment's administrator" echo "Note: you need access to AWS account of the selected environment" exit 2 @@ -25,7 +21,6 @@ fi ENVIRONMENT=$1 CLUSTER_NAME=$2 -OIDC_USER_NAME=${3:-$(whoami)} export AWS_AUTH_HELPER="${AWS_AUTH_HELPER:-aws-saml}" @@ -47,12 +42,6 @@ setup_oidc_provider() { else echo "Skipping creating an OIDC IdP for the cluster, already exists." fi - - # Give cluster administrative rights to the user that is bringing up the dataplane cluster. - # Ignore errors in case user already exists - ocm create user --cluster="${CLUSTER_NAME}" \ - --group=cluster-admins \ - "${OIDC_USER_NAME}" || true } case $ENVIRONMENT in @@ -85,24 +74,6 @@ CLUSTER_ID=$(ocm list cluster "${CLUSTER_NAME}" --no-headers --columns="ID") export_cluster_environment setup_oidc_provider -# Retrieve the cluster token from the configured IdP interactively. -echo "Login to the cluster using the OIDC IdP and obtain a token." -ocm cluster login "${CLUSTER_NAME}" --token -# This requires users to paste the token, since the command only opens the browser but doesn't retrieve the token itself. -echo "Paste the token (it will not be echoed to the screen):" -read -r -s CLUSTER_TOKEN - -# The ocm command likes to return trailing whitespace, so try and trim it: -CLUSTER_URL="$(ocm list cluster "${CLUSTER_NAME}" --no-headers --columns api.url | awk '{print $1}')" - -# Use a temporary KUBECONFIG to avoid storing credentials in and changing current context in user's day-to-day kubeconfig. -KUBECONFIG="$(mktemp)" -export KUBECONFIG -trap 'rm -f "${KUBECONFIG}"' EXIT - -echo "Logging into cluster ${CLUSTER_NAME}..." -oc login "${CLUSTER_URL}" --token="${CLUSTER_TOKEN}" - # This set of commands modifies OIDC provider to include "groups" claim mapping. CLUSTER_IDP_ID=$(ocm get /api/clusters_mgmt/v1/clusters/"$CLUSTER_ID"/identity_providers | jq -r '.items[0].id') tmpfile=$(mktemp /tmp/dataplane-idp-setup-tmp-patch-body.XXXXXX) @@ -132,19 +103,3 @@ cat <"$tmpfile" END ocm patch /api/clusters_mgmt/v1/clusters/"$CLUSTER_ID"/identity_providers/"$CLUSTER_IDP_ID" --body="$tmpfile" rm "$tmpfile" - -# This command grants access to all RH employees to access cluster monitoring. -oc apply -f - <