-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconfig-hub.sh
executable file
·170 lines (144 loc) · 5.35 KB
/
config-hub.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#!/bin/bash
# source .env
source ./utils.sh
wait_for_preprocessing
function print_failure()
{
if [[ $? -ne 0 ]]; then
echo $1
exit 1
fi
}
if [[ -z ${CLUSTER_CLIENT_ID} ]]; then
echo "Provide env var for CLUSTER_CLIENT_ID"
exit 1
fi
if [[ -z ${OPENSHIFT_OAUTH_NAME} ]]; then
echo "Provide env var for OPENSHIFT_OAUTH_NAME"
exit 1
fi
if [[ -z ${KEYCLOAK_HOSTNAME} ]]; then
echo "Provide env var for KEYCLOAK_HOSTNAME"
exit 1
fi
if [[ -z ${KEYCLOAK_REALM} ]]; then
echo "Provide env var for KEYCLOAK_REALM"
exit 1
fi
if [[ -z ${ARGO_ADMIN_USERNAME} ]]; then
echo "Provide env var for ARGO_ADMIN_USERNAME"
exit 1
fi
CA_CERT_BUNDLE=$(oc get secret sso-configs -n sso-integration -o jsonpath='{.data.CA_CERT_BUNDLE}' | base64 -d)
if [[ -n ${IS_MANAGED_CLUSTER} ]]; then
export CLUSTER_SECRET_NAME=$(oc get clusterdeployment ${CLUSTER_CLIENT_ID} -n ${CLUSTER_CLIENT_ID} -o jsonpath='{.spec.clusterMetadata.adminPasswordSecretRef.name}')
export KUBE_ADMIN_SECRET=$(oc get secret ${CLUSTER_SECRET_NAME} -n ${CLUSTER_CLIENT_ID} -o jsonpath='{.data.password}' | base64 -d)
export KUBE_ADMIN_USERNAME=$(oc get secret ${CLUSTER_SECRET_NAME} -n ${CLUSTER_CLIENT_ID} -o jsonpath='{.data.username}' | base64 -d)
export CLUSTER_API_URL=$(oc get clusterdeployment ${CLUSTER_CLIENT_ID} -n ${CLUSTER_CLIENT_ID} -o jsonpath='{.status.apiURL}')
if [[ -z ${KUBE_ADMIN_SECRET} ]]; then
echo "Failed to get the admin creds"
exit 1
fi
if [[ -z ${CLUSTER_API_URL} ]]; then
echo "Failed to get the CLUSTER_API_URL"
exit 1
fi
echo "Logging into ${CLUSTER_API_URL}"
# TODO: removed insecure tls verity skip in the future once the manged clusters could be automatically provided with certs
oc login --insecure-skip-tls-verify=true -u ${KUBE_ADMIN_USERNAME} -p ${KUBE_ADMIN_SECRET} ${CLUSTER_API_URL}
print_failure "Failed to login the managed cluster"
fi
echo "Getting oauth route"
export CLUSTER_OAUTH_URL="https://$(oc get route oauth-openshift -n openshift-authentication -o jsonpath='{.spec.host}')"
echo "Creating the client on Keycloak..."
createClientOutput=$(python3.9 create-client-openshift.py 2>&1)
print_failure ${createClientOutput}
clientSecret=$(echo $createClientOutput | sed 's/^.*clientSecret: \(.*\)$/\1/ig' 2>&1)
print_failure "Failed to filter out the created client secret"
encodedClientSecret=$(echo ${clientSecret} | base64)
echo "Creating the secret to be referened in OAuth CR"
oc delete secret ${OPENSHIFT_OAUTH_NAME}-client-secret -n openshift-config
oc create secret generic ${OPENSHIFT_OAUTH_NAME}-client-secret --from-literal=clientSecret=${clientSecret} -n openshift-config
echo "Creating configmap for ca certificates in case the keycloak server is using a self-signed or intermediate certificates..."
if [[ -n ${CA_CERT_BUNDLE} ]]; then
echo "Create from configmap"
oc create configmap ca-config-map --from-literal=ca.crt="${CA_CERT_BUNDLE}" -n openshift-config
fi
echo "Removing existing user if existing"
echo "Configured OAuth CR..."
read -r -d '' oauthCR <<- EOM
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/create-only: "true"
name: cluster
spec:
identityProviders:
- mappingMethod: claim
name: ${OPENSHIFT_OAUTH_NAME}
openID:
claims:
email:
- email
name:
- name
preferredUsername:
- preferred_username
clientID: ${CLUSTER_CLIENT_ID}
clientSecret:
name: ${OPENSHIFT_OAUTH_NAME}-client-secret
issuer: ${KEYCLOAK_HOSTNAME}/auth/realms/${KEYCLOAK_REALM}
type: OpenID
EOM
if [[ -n ${CA_CERT_BUNDLE} ]]; then
read -r -d '' oauthCR <<- EOM
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
release.openshift.io/create-only: "true"
name: cluster
spec:
identityProviders:
- mappingMethod: claim
name: ${OPENSHIFT_OAUTH_NAME}
openID:
ca:
name: ca-config-map
claims:
email:
- email
name:
- name
preferredUsername:
- preferred_username
clientID: ${CLUSTER_CLIENT_ID}
clientSecret:
name: ${OPENSHIFT_OAUTH_NAME}-client-secret
issuer: ${KEYCLOAK_HOSTNAME}/auth/realms/${KEYCLOAK_REALM}
type: OpenID
EOM
fi
oc apply -f <(echo "${oauthCR}")
print_failure "Failed to config OAuth CR"
echo "Removed old settings and also check to assigne cluster admin role to the user..."
# Create cluster role binding for admin users...
if [[ ${CLUSTER_IS_ADMIN} -eq "true" ]]; then
echo "Assign cluster-admin role to admin user"
oc create clusterrolebinding admin-oauth-binding --clusterrole="cluster-admin" --user=admin
fi
# Check if the user exists. If so, remove users and releavnt identity to avoid potential errors
oc delete user ${ARGO_ADMIN_USERNAME}
identityName=$(oc get identity --field-selector providerName=${OPENSHIFT_OAUTH_NAME} -o name)
if [[ -z ${identityName} ]]; then
echo "identityName doesnt exist, exit successfully"
exit 0
fi
oc delete ${identityName}