kyma-project · szeort · Aug 15, 2024 · Aug 15, 2024
diff --git a/.github/workflows/release-genkubeconfig.yml b/.github/workflows/release-genkubeconfig.yml
@@ -0,0 +1,37 @@
+name: Release-Genkubeconfig-Image
+
+on:
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io/kyma-project/cfapi
+
+jobs:
+  build:
+    runs-on: [ self-hosted ]
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+    - name: Checkout code 
+      uses: actions/checkout@v3
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Create korifi release artifacts
+      shell: bash
+      working-directory: 'tools/kubeconfig'
+      run: |
+        docker build -t ${{ env.REGISTRY }}/genkubeconfig
+        docker push ${{ env.REGISTRY }}/genkubeconfig
+
+
diff --git a/tools/kubeconfig/Dockerfile b/tools/kubeconfig/Dockerfile
@@ -0,0 +1,24 @@
+FROM ruby:3.3
+
+#ENV BTP_CLI_VERSION=2.64.0
+#ENV TOOLS_URL=https://tools.hana.ondemand.com
+#
+#RUN curl --fail --silent --location --cookie eula_3_2_agreed="$TOOLS_URL/developer-license-3_2.txt" \
+#  --url "$TOOLS_URL/additional/btp-cli-linux-amd64-$BTP_CLI_VERSION.tar.gz" 
+
+ENV UAA_URL="https://uaa.cf.eu10.hana.ondemand.com"
+ENV OIDC_PREFIX="sap.ids"
+ENV YQ_VERSION=v4.44.3
+
+
+RUN gem install cf-uaac
+RUN wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64.tar.gz -O - | tar xz && mv yq_linux_amd64 /usr/bin/yq
+RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"  && chmod +x kubectl && mv kubectl /usr/bin/
+
+
+WORKDIR /genkc
+COPY gen-kubeconfig.sh . 
+ADD serviceaccount.yaml . 
+
+WORKDIR /work
+ENTRYPOINT ["/genkc/gen-kubeconfig.sh"]
diff --git a/tools/kubeconfig/gen-kubeconfig.sh b/tools/kubeconfig/gen-kubeconfig.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eo pipefail 
+set -o xtrace
+
+SCRIPTDIR=$(dirname "$0")
+
+BTP_USER=$1
+KUBECONFIG_INPUT=${2:-kubeconfig.yaml}
+
+cp $KUBECONFIG_INPUT kubeconfig-user.yaml
+export KUBECONFIG=kubeconfig-user.yaml
+
+if [[ -z "${UAA_URL}" ]]; then
+ echo "Env UAA_URL not set"
+ exit 1
+fi
+
+uaac target $UAA_URL
+uaac token sso get cf --secret ""
+uaac me
+
+KUBECONFIG_USER="$OIDC_PREFIX:$BTP_USER"
+KUBECONFIG_TOKEN=$(yq ".[\"$UAA_URL\"].contexts[\"$BTP_USER\"].access_token" ~/.uaac.yml)
+
+yq -i ".users |= [{\"name\":\"$KUBECONFIG_USER\", \"user\": {\"token\":\"$KUBECONFIG_TOKEN\"}}]" $KUBECONFIG
+yq -i ".contexts[0].context.user |= \"$KUBECONFIG_USER\"" $KUBECONFIG
+
+kubectl apply -f $SCRIPTDIR/serviceaccount.yaml
+kubectl wait --for=jsonpath='{.data.token}' secret/admin-serviceaccount
+SA_TOKEN=$(kubectl get secret admin-serviceaccount -o=go-template='{{.data.token | base64decode}}')
+
+cp $KUBECONFIG kubeconfig-sa.yaml
+yq -i ".users |= [{\"name\":\"admin-serviceaccount\", \"user\": {\"token\":\"$SA_TOKEN\"}}]" kubeconfig-sa.yaml
+yq -i ".contexts[0].context.user |= \"admin-serviceaccount\"" kubeconfig-sa.yaml
+
diff --git a/tools/kubeconfig/serviceaccount.yaml b/tools/kubeconfig/serviceaccount.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: v1
+automountServiceAccountToken: false
+kind: ServiceAccount
+metadata:
+  name: admin-serviceaccount
+  namespace: default
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admin-serviceaccount
+  namespace: default
+  annotations:
+    kubernetes.io/service-account.name: admin-serviceaccount
+type: kubernetes.io/service-account-token
+---
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+   name: admin-serviceaccount
+ roleRef:
+   apiGroup: rbac.authorization.k8s.io
+   kind: ClusterRole
+   name: cluster-admin
+ subjects:
+ - kind: ServiceAccount
+   name: admin-serviceaccount
+   namespace: default