diff --git a/.github/workflows/release-genkubeconfig.yml b/.github/workflows/release-genkubeconfig.yml new file mode 100644 index 0000000..ceccb21 --- /dev/null +++ b/.github/workflows/release-genkubeconfig.yml @@ -0,0 +1,37 @@ +name: Release-Genkubeconfig-Image + +on: + workflow_dispatch: + +env: + REGISTRY: ghcr.io/kyma-project/cfapi + +jobs: + build: + runs-on: [ self-hosted ] + + permissions: + contents: read + packages: write + attestations: write + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Log in to the Container registry + uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create korifi release artifacts + shell: bash + working-directory: 'tools/kubeconfig' + run: | + docker build -t ${{ env.REGISTRY }}/genkubeconfig + docker push ${{ env.REGISTRY }}/genkubeconfig + + diff --git a/tools/kubeconfig/Dockerfile b/tools/kubeconfig/Dockerfile new file mode 100644 index 0000000..3b89695 --- /dev/null +++ b/tools/kubeconfig/Dockerfile @@ -0,0 +1,24 @@ +FROM ruby:3.3 + +#ENV BTP_CLI_VERSION=2.64.0 +#ENV TOOLS_URL=https://tools.hana.ondemand.com +# +#RUN curl --fail --silent --location --cookie eula_3_2_agreed="$TOOLS_URL/developer-license-3_2.txt" \ +# --url "$TOOLS_URL/additional/btp-cli-linux-amd64-$BTP_CLI_VERSION.tar.gz" + +ENV UAA_URL="https://uaa.cf.eu10.hana.ondemand.com" +ENV OIDC_PREFIX="sap.ids" +ENV YQ_VERSION=v4.44.3 + + +RUN gem install cf-uaac +RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64.tar.gz -O - | tar xz && mv yq_linux_amd64 /usr/bin/yq +RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && chmod +x kubectl && mv kubectl /usr/bin/ + + +WORKDIR /genkc +COPY gen-kubeconfig.sh . +ADD serviceaccount.yaml . + +WORKDIR /work +ENTRYPOINT ["/genkc/gen-kubeconfig.sh"] \ No newline at end of file diff --git a/tools/kubeconfig/gen-kubeconfig.sh b/tools/kubeconfig/gen-kubeconfig.sh new file mode 100644 index 0000000..89df641 --- /dev/null +++ b/tools/kubeconfig/gen-kubeconfig.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +set -eo pipefail +set -o xtrace + +SCRIPTDIR=$(dirname "$0") + +BTP_USER=$1 +KUBECONFIG_INPUT=${2:-kubeconfig.yaml} + +cp $KUBECONFIG_INPUT kubeconfig-user.yaml +export KUBECONFIG=kubeconfig-user.yaml + +if [[ -z "${UAA_URL}" ]]; then + echo "Env UAA_URL not set" + exit 1 +fi + +uaac target $UAA_URL +uaac token sso get cf --secret "" +uaac me + +KUBECONFIG_USER="$OIDC_PREFIX:$BTP_USER" +KUBECONFIG_TOKEN=$(yq ".[\"$UAA_URL\"].contexts[\"$BTP_USER\"].access_token" ~/.uaac.yml) + +yq -i ".users |= [{\"name\":\"$KUBECONFIG_USER\", \"user\": {\"token\":\"$KUBECONFIG_TOKEN\"}}]" $KUBECONFIG +yq -i ".contexts[0].context.user |= \"$KUBECONFIG_USER\"" $KUBECONFIG + +kubectl apply -f $SCRIPTDIR/serviceaccount.yaml +kubectl wait --for=jsonpath='{.data.token}' secret/admin-serviceaccount +SA_TOKEN=$(kubectl get secret admin-serviceaccount -o=go-template='{{.data.token | base64decode}}') + +cp $KUBECONFIG kubeconfig-sa.yaml +yq -i ".users |= [{\"name\":\"admin-serviceaccount\", \"user\": {\"token\":\"$SA_TOKEN\"}}]" kubeconfig-sa.yaml +yq -i ".contexts[0].context.user |= \"admin-serviceaccount\"" kubeconfig-sa.yaml + diff --git a/tools/kubeconfig/serviceaccount.yaml b/tools/kubeconfig/serviceaccount.yaml new file mode 100644 index 0000000..91893b5 --- /dev/null +++ b/tools/kubeconfig/serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + name: admin-serviceaccount + namespace: default +--- +apiVersion: v1 +kind: Secret +metadata: + name: admin-serviceaccount + namespace: default + annotations: + kubernetes.io/service-account.name: admin-serviceaccount +type: kubernetes.io/service-account-token +--- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: admin-serviceaccount + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin + subjects: + - kind: ServiceAccount + name: admin-serviceaccount + namespace: default