Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
@nithyatsu
nithyatsu committed Nov 21, 2024
1 parent 8d2cd96 commit 182966c
Showing 1 changed file with 13 additions and 93 deletions.
106 changes: 13 additions & 93 deletions .github/workflows/functional-test-cloud.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -560,61 +560,6 @@ jobs:
sudo mv azwi /usr/local/bin/
sudo chmod +x /usr/local/bin/azwi
- name: Create storage account
id: create_storage_account
if: github.event_name == 'workflow_dispatch'
run: |
export AZURE_STORAGE_ACCOUNT="oidcissuer$(openssl rand -hex 4)"
export AZURE_STORAGE_CONTAINER="oidc-test"
echo ${AZURE_STORAGE_ACCOUNT}
echo ${AZURE_STORAGE_CONTAINER}
az storage account create --resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }} --name ${AZURE_STORAGE_ACCOUNT} --allow-blob-public-access true
az storage container create --name ${AZURE_STORAGE_CONTAINER} --public-access blob
cat <<EOF > openid-configuration.json
{
"issuer": "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/",
"jwks_uri": "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/openid/v1/jwks",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
EOF
az storage blob upload \
--container-name "${AZURE_STORAGE_CONTAINER}" \
--file openid-configuration.json \
--name .well-known/openid-configuration
eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
AUTHKEY=$(echo -n "${{ github.actor }}:${{ secrets.GH_RAD_CI_BOT_PAT }}" | base64)
echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"${AUTHKEY}\"}}}" > "./ghcr_secret.json"
echo $AZURE_OIDC_ISSUER_PUBLIC_KEY | base64 -d > sa.pub
echo $AZURE_OIDC_ISSUER_PRIVATE_KEY | base64 -d > sa.key
echo "public key"
echo $AZURE_OIDC_ISSUER_PUBLIC_KEY
azwi jwks --public-keys sa.pub --output-file jwks.json
az storage blob upload \
--container-name ${AZURE_STORAGE_CONTAINER} \
--file jwks.json \
--name openid/v1/jwks
OIDC=https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/
echo "OIDC_TEST_URL=$OIDC" >> $GITHUB_OUTPUT
echo "AZURE_STORAGE_ACCOUNT=$AZURE_STORAGE_ACCOUNT" >> $GITHUB_OUTPUT
echo "AZURE_STORAGE_CONTAINER=$AZURE_STORAGE_CONTAINER" >> $GITHUB_OUTPUT
echo "OIDC URL:------------>"
echo $OIDC
echo "OIDC URL END:------------>"
# this step is to configure the aws credentials for github actions.
# The role-to-assume is the role that the github action will assume to execute aws commands.
- name: configure aws credentials using assumed role
Expand All @@ -629,40 +574,15 @@ jobs:
run: |
aws sts get-caller-identity
OIDC_TEST_URL=${{ steps.create_storage_account.outputs.OIDC_TEST_URL }}
AZURE_STORAGE_ACCOUNT=${{ steps.create_storage_account.outputs.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_CONTAINER=${{ steps.create_storage_account.outputs.AZURE_STORAGE_CONTAINER }}
echo "validating the OIDC URL"
curl -s "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/openid/v1/jwks"
# Populate the following environment variables for Azure workload identity from secrets.
# AZURE_OIDC_ISSUER_PUBLIC_KEY
# AZURE_OIDC_ISSUER_PRIVATE_KEY
eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
echo "Creating IDP"
SERVER_NAME=${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net
THUMBPRINT=$(echo | openssl s_client -servername $SERVER_NAME -showcerts -connect $SERVER_NAME:443 2>/dev/null | openssl x509 -fingerprint -noout | cut -d'=' -f2 | sed 's/://g')
echo "THUMBPRINT"
echo $THUMBPRINT
PROVIDER_ARN=$(aws iam create-open-id-connect-provider \
--url ${OIDC_TEST_URL} \
--client-id-list sts.amazonaws.com \
--thumbprint-list $THUMBPRINT \
--query 'OpenIDConnectProviderArn' \
--output text)
echo "PROVIDER_ARN"
echo $PROVIDER_ARN
echo "JUST BEFORE AWS ROLE CREATION OIDC URL:------------>"
echo $OIDC_TEST_URL
echo "OIDC URL END:------------>"
# Remove https:// from OIDC URL
OIDC_URL_NO_HTTPS=${OIDC_TEST_URL#https://}
echo "OIDC URL NO HTTPS:------------>"
echo $OIDC_URL_NO_HTTPS
echo "oidc issuer"
echo $AZURE_OIDC_ISSUER
FEDERATED_ARN=arn:aws:iam::179022619019:oidc-provider/radiusoidc.blob.core.windows.net/kubeoidc
#TODO: make the policy more restrictive
Expand All @@ -686,13 +606,13 @@ jobs:
{
"Effect": "Allow",
"Principal": {
"Federated": "${PROVIDER_ARN}"
"Federated": "${FEDERATED_ARN}"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL_NO_HTTPS}:sub": "system:serviceaccount:radius-system:ucp",
"${OIDC_URL_NO_HTTPS}:aud": "sts.amazonaws.com"
"radiusoidc.blob.core.windows.net/kubeoidc:sub": "system:serviceaccount:radius-system:ucp",
"radiusoidc.blob.core.windows.net/kubeoidc:aud": "sts.amazonaws.com"
}
}
},
Expand All @@ -705,8 +625,8 @@ jobs:
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"${OIDC_URL_NO_HTTPS}:sub": "system:serviceaccount:radius-system:applications-rp",
"${OIDC_URL_NO_HTTPS}:aud": "sts.amazonaws.com"
"radiusoidc.blob.core.windows.net/kubeoidc:sub": "system:serviceaccount:radius-system:applications-rp",
"radiusoidc.blob.core.windows.net/kubeoidc:aud": "sts.amazonaws.com"
}
}
}
Expand Down

0 comments on commit 182966c

Please sign in to comment.