-
Notifications
You must be signed in to change notification settings - Fork 82
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: adds script to setup kind cluster for WI
Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
- Loading branch information
Showing
2 changed files
with
103 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -o errexit | ||
set -o nounset | ||
set -o pipefail | ||
|
||
SCRIPT_PATH="$(dirname "${BASH_SOURCE[0]}")" | ||
|
||
validate() { | ||
# check if user is logged into azure cli | ||
if ! az account show > /dev/null 2>&1; then | ||
echo "Please login to Azure CLI using 'az login'" | ||
exit 1 | ||
fi | ||
} | ||
|
||
create_azure_blob_storage_account() { | ||
export RESOURCE_GROUP="${1:-oidc-issuer}" | ||
export LOCATION="${2:-westus2}" | ||
if [ "$(az group exists --name "${RESOURCE_GROUP}" --output tsv)" == 'false' ]; then | ||
echo "Creating resource group '${RESOURCE_GROUP}' in '${LOCATION}'" | ||
az group create --name "${RESOURCE_GROUP}" --location "${LOCATION}" | ||
fi | ||
|
||
AZURE_STORAGE_ACCOUNT="oidcissuer$(openssl rand -hex 4)" | ||
export AZURE_STORAGE_ACCOUNT | ||
export AZURE_STORAGE_CONTAINER="oidc" | ||
if ! az storage account show --name "${AZURE_STORAGE_ACCOUNT}" --resource-group "${RESOURCE_GROUP}" > /dev/null 2>&1; then | ||
echo "Creating storage account '${AZURE_STORAGE_ACCOUNT}' in '${RESOURCE_GROUP}'" | ||
az storage account create --resource-group "${RESOURCE_GROUP}" --name "${AZURE_STORAGE_ACCOUNT}" --allow-blob-public-access true | ||
fi | ||
|
||
if ! az storage container show --name "${AZURE_STORAGE_CONTAINER}" --account-name "${AZURE_STORAGE_ACCOUNT}" > /dev/null 2>&1; then | ||
echo "Creating storage container '${AZURE_STORAGE_CONTAINER}' in '${AZURE_STORAGE_ACCOUNT}'" | ||
az storage container create --name "${AZURE_STORAGE_CONTAINER}" --public-access container | ||
fi | ||
|
||
export SERVICE_ACCOUNT_ISSUER="https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/" | ||
} | ||
|
||
upload_openid_docs(){ | ||
echo "Getting public signing key from the cluster" | ||
cat <<EOF > "${SCRIPT_PATH}/openid-configuration.json" | ||
{ | ||
"issuer": "${SERVICE_ACCOUNT_ISSUER}", | ||
"jwks_uri": "${SERVICE_ACCOUNT_ISSUER}openid/v1/jwks", | ||
"response_types_supported": [ | ||
"id_token" | ||
], | ||
"subject_types_supported": [ | ||
"public" | ||
], | ||
"id_token_signing_alg_values_supported": [ | ||
"RS256" | ||
] | ||
} | ||
EOF | ||
|
||
echo "Uploading openid-configuration document to '${AZURE_STORAGE_ACCOUNT}' storage account" | ||
upload_to_blob "${AZURE_STORAGE_CONTAINER}" "${SCRIPT_PATH}/openid-configuration.json" ".well-known/openid-configuration" | ||
|
||
kubectl get --raw /openid/v1/jwks | jq > "${SCRIPT_PATH}/jwks.json" | ||
echo "Uploading jwks document to '${AZURE_STORAGE_ACCOUNT}' storage account" | ||
upload_to_blob "${AZURE_STORAGE_CONTAINER}" "${SCRIPT_PATH}/jwks.json" "openid/v1/jwks" | ||
} | ||
|
||
upload_to_blob() { | ||
local container_name=$1 | ||
local file_path=$2 | ||
local blob_name=$3 | ||
|
||
echo "Uploading ${file_path} to '${AZURE_STORAGE_ACCOUNT}' storage account" | ||
az storage blob upload \ | ||
--container-name "${container_name}" \ | ||
--file "${file_path}" \ | ||
--name "${blob_name}" | ||
} | ||
|
||
create_kind_cluster() { | ||
echo "Creating kind cluster" | ||
export KIND_CLUSTER_NAME="azure-workload-identity" | ||
KIND_IMAGE_VERSION="${KIND_IMAGE_VERSION:-v1.22.4}" | ||
|
||
kind delete cluster --name "${KIND_CLUSTER_NAME}" | ||
cat <<EOF | kind create cluster --name ${KIND_CLUSTER_NAME} --image kindest/node:"${KIND_IMAGE_VERSION}" --config=- | ||
kind: Cluster | ||
apiVersion: kind.x-k8s.io/v1alpha4 | ||
nodes: | ||
- role: control-plane | ||
kubeadmConfigPatches: | ||
- | | ||
kind: ClusterConfiguration | ||
apiServer: | ||
extraArgs: | ||
service-account-issuer: ${SERVICE_ACCOUNT_ISSUER} | ||
EOF | ||
} | ||
|
||
validate | ||
create_azure_blob_storage_account "$@" | ||
create_kind_cluster | ||
upload_openid_docs |