diff --git a/.github/workflows/functional-test-cloud.yaml b/.github/workflows/functional-test-cloud.yaml index 591cc4d2ae0..39117ed2bba 100644 --- a/.github/workflows/functional-test-cloud.yaml +++ b/.github/workflows/functional-test-cloud.yaml @@ -560,61 +560,6 @@ jobs: sudo mv azwi /usr/local/bin/ sudo chmod +x /usr/local/bin/azwi - - name: Create storage account - id: create_storage_account - if: github.event_name == 'workflow_dispatch' - run: | - export AZURE_STORAGE_ACCOUNT="oidcissuer$(openssl rand -hex 4)" - export AZURE_STORAGE_CONTAINER="oidc-test" - echo ${AZURE_STORAGE_ACCOUNT} - echo ${AZURE_STORAGE_CONTAINER} - az storage account create --resource-group ${{ env.AZURE_TEST_RESOURCE_GROUP }} --name ${AZURE_STORAGE_ACCOUNT} --allow-blob-public-access true - az storage container create --name ${AZURE_STORAGE_CONTAINER} --public-access blob - cat < openid-configuration.json - { - "issuer": "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/", - "jwks_uri": "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/openid/v1/jwks", - "response_types_supported": [ - "id_token" - ], - "subject_types_supported": [ - "public" - ], - "id_token_signing_alg_values_supported": [ - "RS256" - ] - } - EOF - az storage blob upload \ - --container-name "${AZURE_STORAGE_CONTAINER}" \ - --file openid-configuration.json \ - --name .well-known/openid-configuration - eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')" - AUTHKEY=$(echo -n "${{ github.actor }}:${{ secrets.GH_RAD_CI_BOT_PAT }}" | base64) - echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"${AUTHKEY}\"}}}" > "./ghcr_secret.json" - - echo $AZURE_OIDC_ISSUER_PUBLIC_KEY | base64 -d > sa.pub - echo $AZURE_OIDC_ISSUER_PRIVATE_KEY | base64 -d > sa.key - - echo "public key" - echo $AZURE_OIDC_ISSUER_PUBLIC_KEY - - - azwi jwks --public-keys sa.pub --output-file jwks.json - az storage blob upload \ - --container-name ${AZURE_STORAGE_CONTAINER} \ - --file jwks.json \ - --name openid/v1/jwks - - OIDC=https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/ - echo "OIDC_TEST_URL=$OIDC" >> $GITHUB_OUTPUT - echo "AZURE_STORAGE_ACCOUNT=$AZURE_STORAGE_ACCOUNT" >> $GITHUB_OUTPUT - echo "AZURE_STORAGE_CONTAINER=$AZURE_STORAGE_CONTAINER" >> $GITHUB_OUTPUT - - echo "OIDC URL:------------>" - echo $OIDC - echo "OIDC URL END:------------>" - # this step is to configure the aws credentials for github actions. # The role-to-assume is the role that the github action will assume to execute aws commands. - name: configure aws credentials using assumed role @@ -629,40 +574,15 @@ jobs: run: | aws sts get-caller-identity - OIDC_TEST_URL=${{ steps.create_storage_account.outputs.OIDC_TEST_URL }} - AZURE_STORAGE_ACCOUNT=${{ steps.create_storage_account.outputs.AZURE_STORAGE_ACCOUNT }} - AZURE_STORAGE_CONTAINER=${{ steps.create_storage_account.outputs.AZURE_STORAGE_CONTAINER }} - - echo "validating the OIDC URL" - curl -s "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/openid/v1/jwks" + # Populate the following environment variables for Azure workload identity from secrets. + # AZURE_OIDC_ISSUER_PUBLIC_KEY + # AZURE_OIDC_ISSUER_PRIVATE_KEY + eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')" - echo "Creating IDP" - - SERVER_NAME=${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net - THUMBPRINT=$(echo | openssl s_client -servername $SERVER_NAME -showcerts -connect $SERVER_NAME:443 2>/dev/null | openssl x509 -fingerprint -noout | cut -d'=' -f2 | sed 's/://g') - - echo "THUMBPRINT" - echo $THUMBPRINT - - - PROVIDER_ARN=$(aws iam create-open-id-connect-provider \ - --url ${OIDC_TEST_URL} \ - --client-id-list sts.amazonaws.com \ - --thumbprint-list $THUMBPRINT \ - --query 'OpenIDConnectProviderArn' \ - --output text) - - echo "PROVIDER_ARN" - echo $PROVIDER_ARN - - echo "JUST BEFORE AWS ROLE CREATION OIDC URL:------------>" - echo $OIDC_TEST_URL - echo "OIDC URL END:------------>" - - # Remove https:// from OIDC URL - OIDC_URL_NO_HTTPS=${OIDC_TEST_URL#https://} - echo "OIDC URL NO HTTPS:------------>" - echo $OIDC_URL_NO_HTTPS + echo "oidc issuer" + echo $AZURE_OIDC_ISSUER + + FEDERATED_ARN=arn:aws:iam::179022619019:oidc-provider/radiusoidc.blob.core.windows.net/kubeoidc #TODO: make the policy more restrictive @@ -686,13 +606,13 @@ jobs: { "Effect": "Allow", "Principal": { - "Federated": "${PROVIDER_ARN}" + "Federated": "${FEDERATED_ARN}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${OIDC_URL_NO_HTTPS}:sub": "system:serviceaccount:radius-system:ucp", - "${OIDC_URL_NO_HTTPS}:aud": "sts.amazonaws.com" + "radiusoidc.blob.core.windows.net/kubeoidc:sub": "system:serviceaccount:radius-system:ucp", + "radiusoidc.blob.core.windows.net/kubeoidc:aud": "sts.amazonaws.com" } } }, @@ -705,8 +625,8 @@ jobs: "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { - "${OIDC_URL_NO_HTTPS}:sub": "system:serviceaccount:radius-system:applications-rp", - "${OIDC_URL_NO_HTTPS}:aud": "sts.amazonaws.com" + "radiusoidc.blob.core.windows.net/kubeoidc:sub": "system:serviceaccount:radius-system:applications-rp", + "radiusoidc.blob.core.windows.net/kubeoidc:aud": "sts.amazonaws.com" } } }