forked from ipbabble/multicluster-devsecops
/
cm-create-quaye-pull-secret.yaml
160 lines (137 loc) · 8.07 KB
/
cm-create-quaye-pull-secret.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
apiVersion: v1
kind: ConfigMap
metadata:
# quaye abbrev. for Quay Enterprise
name: create-quaye-pull-secret
namespace: {{ .Values.quay.namespace }}
annotations:
argocd.argoproj.io/sync-wave: "-1"
data:
create-quaye-pull-secret.sh: |
#!/bin/bash -e
function quay_cmd() {
DATA='{}'
if [ ! -z "$4" ]; then
DATA=$4
fi
echo "[$1] $2 $3 --data $DATA" 1>&2
AUTH="Fake: dummy"
if [ $1 = "Basic" ]; then
COUNT=$(oc -n $QUAY_NAMESPACE get --ignore-not-found=true secret $QUAY_USER_SECRET | wc -l)
if [ $COUNT -gt 1 ]; then
BASIC=$(oc -n $QUAY_NAMESPACE extract secret/$QUAY_USER_SECRET --keys=basic --to=-)
fi
AUTH="Authorization: Basic $BASIC"
elif [ $1 = "Bearer" ]; then
AUTH="Authorization: Bearer $TOKEN"
fi
curl -X $2 $CURL_OPTS -H 'Content-Type: application/json' -H "$AUTH" https://$QUAY_HOST$3 --data "$DATA"
echo "[INFO] Success" 1>&2
}
CURL_OPTS="-fsk"
QUAY_USER_SECRET=quay-user
env | grep QUAY | grep -v QUAY_REGISTRY
if [ -z "$QUAY_NAMESPACE" ]; then
QUAY_NAMESPACE={{ .Values.quay.namespace }}
fi
if [ -z "$QUAY_HOST" ]; then
QUAY_HOST="quay-registry-quay-quay-enterprise.{{ .Values.global.hubClusterDomain }}"
fi
if [ -z "$QUAY_USER" ]; then
QUAY_USER={{ .Values.quay.setup.user.name }}
fi
if [ -z "$QUAY_USER_EMAIL" ]; then
QUAY_USER_EMAIL={{ .Values.quay.setup.user.email }}
fi
if [ -z "$QUAY_ORG" ]; then
QUAY_ORG={{ .Values.global.quay.org.name }}
fi
if [ -z "$QUAY_ORG_EMAIL" ]; then
QUAY_ORG_EMAIL={{ .Values.global.quay.org.email }}
fi
if [ -z "$QUAY_REPO" ]; then
QUAY_REPO={{ .Values.global.quay.repo }}
fi
echo "[INFO] Looking for initial token ..."
SECRET_NAME=quay-init-token
COUNT=$(oc -n $QUAY_NAMESPACE get --ignore-not-found=true secret $SECRET_NAME | wc -l)
if [ $COUNT = 0 ]; then
INITPASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 20 ; echo '' )
echo "[INFO] Destroy any previous secrets ..."
oc -n $QUAY_NAMESPACE delete --ignore-not-found=true secret $QUAY_USER_SECRET
oc -n openshift-operators delete --ignore-not-found=true secret quay-pull-secret
# Invoke API and add quay user to the API - initiates API
echo "[INFO] Creating default user..."
JSONTOKEN=$(quay_cmd None POST /api/v1/user/initialize "{ \"username\": \"{{ .Values.quay.setup.admin.name }}\", \"password\":\"$INITPASS\", \"email\": \"{{ .Values.quay.setup.admin.email }}\", \"access_token\": true}")
echo "[INFO] Creating $SECRET_NAME ..."
oc -n $QUAY_NAMESPACE create secret generic $SECRET_NAME --from-literal=token=$JSONTOKEN --from-literal=password=$INITPASS
fi
TOKEN=$(oc -n $QUAY_NAMESPACE extract secret/$SECRET_NAME --keys=token --to=- | grep access_token | cut -d : -f2 | awk -F\" '{print $2}')
# Now extract the token and store in the Quay Integration secret in openshift-operators namespace
# oc create secret -n openshift-operators generic quay-integration --from-literal=token=$TOKEN
echo "[INFO] Checking our bearer token is still valid ..."
COUNT=$(quay_cmd Bearer GET /api/v1/superuser/users/ | grep \"$QUAY_USER\" | wc -l)
if [ $COUNT = 0 ]; then
# Either the super user doesn't exist, or the token is invalid... determine which...
COUNT=$(quay_cmd Basic GET /api/v1/organization/$QUAY_ORG | wc -l)
if [ $COUNT -gt 0 ]; then
# We found the $QUAY_USER_SECRET secret, with valid basic auth details, and used it to obtain the previously created organization...
# Conclude the bearer token has expired (150min lifetime)
echo "Bearer token has expired"
exit 0
fi
fi
echo "[INFO] Looking for our superuser ..."
COUNT=$(quay_cmd Bearer GET /api/v1/superuser/users/ | grep \"$QUAY_USER\" | wc -l)
if [ $COUNT = 0 ]; then
echo "[INFO] Creating $QUAY_USER user ..."
RESPONSE=$(quay_cmd Bearer POST /api/v1/superuser/users/ "{ \"username\": \"$QUAY_USER\", \"email\": \"$QUAY_USER_EMAIL\", \"access_token\": true}")
QUAY_PASSWORD=$(echo $RESPONSE | tr ',' '\n' | grep '"password"' | cut -d \" -f 4)
BASE64AUTH=`echo -n $QUAY_USER:$QUAY_PASSWORD | base64 -w0`
echo "[INFO] Creating $QUAY_USER_SECRET secret ..."
oc -n $QUAY_NAMESPACE create secret generic $QUAY_USER_SECRET --from-literal=token="$RESPONSE" --from-literal=basic="$BASE64AUTH"
echo "[INFO] Creating quay-pull-secret ..."
echo -e "{ \"auths\": { \"$QUAY_HOST\": { \"auth\": \"$BASE64AUTH\" } }}" | oc -n openshift-operators create secret generic quay-pull-secret --from-file=.dockerconfigjson=/dev/stdin --type=kubernetes.io/dockerconfigjson
# https://access.redhat.com/solutions/5462311
# Requires CLIENTID to be added to DIRECT_OAUTH_CLIENTID_WHITELIST for this to work
# If it worked, we could create a new OAuth token when the original one expires after 150min
####
# CLIENTID=$(quay_cmd Bearer GET /api/v1/organization/$QUAY_ORG/applications | sed -e 's/{/\n/g' | grep "\"name\": \"$APPLICATION\"" | sed -e 's/,/\n/g' | grep client_id | awk '{print $2}' | sed 's/"//g')
# quay_cmd Basic PUT "/oauth/authorize?response_type=token&client_id=$CLIENTID&scope=org:admin%20repo:admin%20repo:create%20repo:read%20repo:write%20super:user%20user:admin%20user:read&redirect_uri=https://$QUAY_HOST%2Foauth%2Flocalapp"
fi
echo "[INFO] Looking for initial organization ..."
COUNT=$(quay_cmd Bearer GET /api/v1/organization/$QUAY_ORG | grep -v not_found | wc -l)
if [ $COUNT = 0 ]; then
echo "[INFO] Creating $QUAY_ORG org ..."
# Email cannot be shared with the initial user
quay_cmd Bearer POST /api/v1/organization/ "{\"name\": \"$QUAY_ORG\", \"email\": \"$QUAY_ORG_EMAIL\" }"
quay_cmd Basic GET /api/v1/organization/$QUAY_ORG
fi
echo "[INFO] Looking for org application ..."
# The only way to get another OAuth token is to go to: Organization -> Applications -> {app} -> Generate Token
# If there was a programatic way to do it here, we could avoid the problem with the bearer token expiring after 150min
APPLICATION=automation
COUNT=$(quay_cmd Bearer GET /api/v1/organization/$QUAY_ORG/applications | grep $APPLICATION | wc -l)
if [ $COUNT = 0 ]; then
echo "[INFO] Creating $APPLICATION application..."
quay_cmd Bearer POST /api/v1/organization/$QUAY_ORG/applications "{\"name\": \"$QUAY_ORG-automation\", \"description\": \"automation app\" }"
fi
echo "[INFO] Looking for initial repo ..."
COUNT=$(quay_cmd Bearer GET /api/v1/repository/$QUAY_ORG/$QUAY_REPO | grep -v not_found | wc -l)
if [ $COUNT = 0 ]; then
echo "[INFO] Creating $QUAY_REPO repo..."
quay_cmd Bearer POST /api/v1/repository "{\"namespace\":\"$QUAY_ORG\", \"repository\":\"$QUAY_REPO\", \"visibility\":\"public\", \"description\":\"Development Repo\", \"repo_kind\":\"image\"}"
fi
echo "[INFO] Looking for $QUAY_ORG members ..."
COUNT=$(quay_cmd Bearer GET /api/v1/organization/$QUAY_ORG/team/owners/members | grep "name\": \"$QUAY_USER\"" | wc -l)
if [ $COUNT = 0 ]; then
echo "[INFO] Associating $QUAY_USER with $QUAY_ORG ..."
quay_cmd Bearer PUT /api/v1/organization/$QUAY_ORG/team/owners/members/$QUAY_USER '{}'
fi
echo "[INFO] Looking for $QUAY_REPO admins ..."
COUNT=$(quay_cmd Bearer GET /api/v1/repository/$QUAY_ORG/$QUAY_REPO/permissions/user/$QUAY_USER | grep '"role": "admin"' | wc -l)
if [ $COUNT = 0 ]; then
echo "[INFO] Give $QUAY_USER admin rights to the repo ..."
quay_cmd Bearer PUT /api/v1/repository/$QUAY_ORG/$QUAY_REPO/permissions/user/$QUAY_USER '{ "role": "admin"}'
fi
echo "[INFO] Job finished"