worker: Support client_credentials grant type in client

This will allow us to use the service accounts which work against
identity.api.openshift.com. These are much easier to manage, especially
with the new multi-tenancy, as there's a single page to create/expire
them across an account.

They also have the added benefit of not expiring automatically when
they're not used like offline tokens, and immediate expiration when
desired.

templates/packer/ansible/roles/common/files/worker-initialization-scripts/client_credentials.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -eo pipefail
+source /tmp/cloud_init_vars
+
+echo "Writing client credentials."
+
+if [[ -z "$CLIENT_CREDENTIALS_ARN" ]]; then
+  echo "CLIENT_CREDENTIALS_ARN not defined, skipping."
+  exit 0
+fi
+
+# get client credentials
+/usr/local/bin/aws secretsmanager get-secret-value \
+  --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
+  --secret-id "${CLIENT_CREDENTIALS_ARN}" | jq -r ".SecretString" > /tmp/client-credentials.json
+
+CLIENT_ID=$(jq -r ".client_id" /tmp/client-credentials.json)
+jq -r ".client_secret" /tmp/client-credentials.json > /etc/osbuild-worker/client-secret
+rm -f /tmp/client-credentials.json
+
+sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
+[authentication]
+oauth_url = "https://identity.api.openshift.com/auth/realms/rhoas/protocol/openid-connect/token"
+client_id = "${CLIENT_ID}"
+client_secret = "/etc/osbuild-worker/client-secret"
+EOF

templates/packer/ansible/roles/common/files/worker-initialization-scripts/offline_token.sh

@@ -1,9 +1,14 @@
 #!/bin/bash
-set -euo pipefail
+set -eo pipefail
 source /tmp/cloud_init_vars
 
 echo "Writing offline token."
 
+if [[ -z "$OFFLINE_TOKEN_ARN" ]]; then
+  echo "OFFLINE_TOKEN_ARN not defined, skipping."
+  exit 0
+fi
+
 # get offline token
 /usr/local/bin/aws secretsmanager get-secret-value \
   --endpoint-url "${SECRETS_MANAGER_ENDPOINT_URL}" \
@@ -15,5 +20,6 @@ rm -f /tmp/offline-token.json
 sudo tee -a /etc/osbuild-worker/osbuild-worker.toml > /dev/null << EOF
 [authentication]
 oauth_url = "https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token"
+client_id = "rhsm-api"
 offline_token = "/etc/osbuild-worker/offline-token"
 EOF

templates/packer/ansible/roles/common/files/worker-initialization.service

@@ -10,6 +10,7 @@ ExecStart=touch /etc/worker-first-boot
 ExecStart=/usr/local/libexec/worker-initialization-scripts/set_hostname.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/vector.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/offline_token.sh
+ExecStart=/usr/local/libexec/worker-initialization-scripts/client_credentials.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/subscription_manager.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/get_aws_creds.sh
 ExecStart=/usr/local/libexec/worker-initialization-scripts/get_azure_creds.sh