wip

radius-project · Nov 22, 2024 · 98e76f5 · 98e76f5
1 parent 805ac16
commit 98e76f5
Showing 1 changed file with 15 additions and 11 deletions.
diff --git a/.github/workflows/functional-test-cloud.yaml b/.github/workflows/functional-test-cloud.yaml
@@ -577,15 +577,22 @@ jobs:
           # Populate the following environment variables for Azure workload identity from secrets.
           # AZURE_OIDC_ISSUER_PUBLIC_KEY
           # AZURE_OIDC_ISSUER_PRIVATE_KEY
+          # AZURE_OIDC_ISSUER
           eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
 
-          echo "oidc issuer"
+          echo "oidc issuer is "
           echo $AZURE_OIDC_ISSUER
-
-          FEDERATED_ARN=arn:aws:iam::179022619019:oidc-provider/radiusoidc.blob.core.windows.net/kubeoidc
           
-          #TODO: make the policy more restrictive
+          echo "is OIDC issuer accessible?"
+
+          curl https://$AZURE_OIDC_ISSUER/.well-known/openid-configuration
+
+          curl https://$AZURE_OIDC_ISSUER/.well-known/jwks.json
+
+
+          FEDERATED_ARN=arn:aws:iam::179022619019:oidc-provider/radiusoidc.blob.core.windows.net/kubeoidc/
 
+          
           cat <<EOF > radius-policy.json
           {
             "Version": "2012-10-17",
@@ -606,7 +613,7 @@ jobs:
                 {
                     "Effect": "Allow",
                     "Principal": {
-                        "Federated": "${FEDERATED_ARN}"
+                        "Federated": "radiusoidc.blob.core.windows.net/kubeoidc/"
                     },
                     "Action": "sts:AssumeRoleWithWebIdentity",
                     "Condition": {
@@ -620,7 +627,7 @@ jobs:
                    "Sid": "Statement1",
                     "Effect": "Allow",
                     "Principal": {
-                        "Federated": "${FEDERATED_ARN}"
+                        "Federated": "radiusoidc.blob.core.windows.net/kubeoidc/"
                     },
                     "Action": "sts:AssumeRoleWithWebIdentity",
                     "Condition": {
@@ -658,6 +665,7 @@ jobs:
           echo "attached AWS IAM policy for Radius to the role"
 
           ROLE_ARN=$(aws iam get-role --role-name $ROLE_NAME --query 'Role.Arn' --output text)
+          
           echo "Role ARN IS: "
           echo $ROLE_ARN
           echo "ROLE_ARN=$ROLE_ARN" >> $GITHUB_OUTPUT
@@ -673,18 +681,14 @@ jobs:
           # AZURE_OIDC_ISSUER_PRIVATE_KEY
           eval "export $(echo "${{ secrets.FUNCTEST_AZURE_OIDC_JSON }}" | jq -r 'to_entries | map("\(.key)=\(.value)") | @sh')"
 
-          echo "oidc issuer"
+          echo "oidc issuer for cluster"
           echo $AZURE_OIDC_ISSUER
          
           
           AUTHKEY=$(echo -n "${{ github.actor }}:${{ secrets.GH_RAD_CI_BOT_PAT }}" | base64)
           echo "{\"auths\":{\"ghcr.io\":{\"auth\":\"${AUTHKEY}\"}}}" > "./ghcr_secret.json"
 
           # Create KinD cluster with OIDC Issuer keys
-
-          echo "public key for kind"
-          echo $AZURE_OIDC_ISSUER_PUBLIC_KEY 
-
           echo $AZURE_OIDC_ISSUER_PUBLIC_KEY | base64 -d > sa.pub
           echo $AZURE_OIDC_ISSUER_PRIVATE_KEY | base64 -d > sa.key
           cat <<EOF | ./kind create cluster --name radius --config=-