-
Notifications
You must be signed in to change notification settings - Fork 6
/
configure.sh
executable file
·254 lines (218 loc) · 9.17 KB
/
configure.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
#!/bin/bash
#######################################################################
# Setup Vars
#######################################################################
## GITHUB_CREDENTIAL_CLIENT_ID & GITHUB_CREDENTIAL_CLIENT_SECRET need to be defined
export GITHUB_CREDENTIAL_CLIENT_ID=${GITHUB_CREDENTIAL_CLIENT_ID:=""}
export GITHUB_CREDENTIAL_CLIENT_SECRET=${GITHUB_CREDENTIAL_CLIENT_SECRET:=""}
## GITHUB_ORGANIZATIONS is the limit on what GitHub Organizations can use this to log in - separated by a semicolon ';'
export GITHUB_ORGANIZATIONS=${GITHUB_ORGANIZATIONS:=""}
## GITHUB_TEAMS is the limit on what GitHub Organization Teams can use this to log in - separated by a semicolon ';'
export GITHUB_TEAMS=${GITHUB_TEAMS:=""}
## GITHUB_HOSTNAME should only be used if this is a private hosted GitHub Enterprise instance being targeted
export GITHUB_HOSTNAME=${GITHUB_HOSTNAME:=""}
## GITHUB_CA_CERT_PEM_FILE is the location to the CA Certificate the GitHub Enterprise server is signed by
export GITHUB_CA_CERT_PEM_FILE=${GITHUB_CA_CERT_PEM_FILE:=""}
#######################################################################
# Functions
#######################################################################
unameOut="$(uname -s)"
case "${unameOut}" in
Linux*) machine=linux;;
Darwin*) machine=osx-amd;;
*) machine="UNKNOWN:${unameOut}"
esac
case "${unameOut}" in
Linux*) yqmachine=linux;;
Darwin*) yqmachine=darwin;;
*) yqmachine="UNKNOWN:${unameOut}"
esac
archOut="$(arch)"
case "${archOut}" in
x86_64*) arch=64;;
x86*) arch=32;;
*) arch="UNKNOWN:${archOut}"
esac
case "${archOut}" in
x86_64*) yqarch=amd64;;
x86*) yqarch=386;;
*) arch="UNKNOWN:${archOut}"
esac
PWD=$(pwd)
PARENT_DIR=$(dirname "$PWD")
BIN_DIR="${PARENT_DIR}/bin"
JQ_BIN="${BIN_DIR}/jq"
YQ_BIN="${BIN_DIR}/yq"
function checkForProgramAndExit() {
command -v $1
if [[ $? -eq 0 ]]; then
printf '%-72s %-7s\n' $1 "PASSED!";
else
printf '%-72s %-7s\n' $1 "FAILED!";
exit 1
fi
}
function containsElement () {
local e match="$1"
shift
for e; do [[ "$e" == "$match" ]] && return 0; done
return 1
}
function checkjq () {
mkdir -p $BIN_DIR
if [ ! -f "${BIN_DIR}/jq" ]; then
curl -sSL https://github.com/stedolan/jq/releases/download/jq-1.6/jq-${machine}${arch} -o "${BIN_DIR}/jq"
fi
chmod +x "${BIN_DIR}/jq"
}
function checkyq () {
mkdir -p $BIN_DIR
if [ ! -f "${BIN_DIR}/yq" ]; then
curl -sSL https://github.com/mikefarah/yq/releases/download/v4.13.2/yq_${yqmachine}_${yqarch} -o "${BIN_DIR}/yq"
fi
chmod +x "${BIN_DIR}/yq"
}
#######################################################################
# Preflight
#######################################################################
echo "===== Checking for required applications..."
export PATH="${BIN_DIR}:$PATH"
checkjq
checkyq
checkForProgramAndExit oc
checkForProgramAndExit jq
checkForProgramAndExit yq
if [[ -z "$GITHUB_CREDENTIAL_CLIENT_ID" ]] || [[ -z "$GITHUB_CREDENTIAL_CLIENT_SECRET" ]]; then
echo "GitHub OAuth Credentials not found at \$GITHUB_CREDENTIAL_CLIENT_ID and \$GITHUB_CREDENTIAL_CLIENT_SECRET!"
echo "Failed preflight!"
exit 1
else
CLIENT_ID=$GITHUB_CREDENTIAL_CLIENT_ID
CLIENT_SECRET=$GITHUB_CREDENTIAL_CLIENT_SECRET
fi
GITHUB_ORG_ARRAY=()
GITHUB_TEAMS_ARRAY=()
if [[ ! -z $GITHUB_ORGANIZATIONS ]]; then
GITHUB_ORG_ARRAY=(${GITHUB_ORGANIZATIONS//;/ })
fi
if [[ ! -z $GITHUB_TEAMS ]]; then
GITHUB_TEAMS_ARRAY=(${GITHUB_TEAMS//;/ })
fi
if [[ ! -z $GITHUB_CA_CERT_PEM_FILE ]]; then
if [[ ! -f $GITHUB_CA_CERT_PEM_FILE ]]; then
echo "GitHub CA Certificate defined as \$GITHUB_CA_CERT_PEM_FILE but not found on the filesystem!"
echo "Failed preflight!"
exit 1
fi
fi
# Dry run mode
if [[ ! -z $1 ]]; then
if [[ $1 != "--commit" ]]; then
echo -e "\n======================================================================\nDry run - configuration NOT applied to cluster! Rerun with '--commit'\n======================================================================\n"
fi
else
echo -e "\n======================================================================\nDry run - configuration NOT applied to cluster! Rerun with '--commit'\n======================================================================\n"
fi
#######################################################################
# Main Script
#######################################################################
# Check for a logged in user
oc whoami >/dev/null 2>&1
if [[ $? == 0 ]]; then
# Check for existing secret
oc get secret github-oauth-client-secret -n openshift-config >/dev/null 2>&1
if [[ $? == 1 ]]; then
if [[ $1 == "--commit" ]]; then
echo "===== Creating GitHub OAuth Client Secret, Secret..."
oc create secret generic github-oauth-client-secret --from-literal=clientSecret=$CLIENT_SECRET -n openshift-config
else
echo -e "\n===== Target YAML Modification:\n"
oc create secret generic github-oauth-client-secret --from-literal=clientSecret=$CLIENT_SECRET -n openshift-config --dry-run=client -o yaml
fi
fi
# Check for existing CA Cert ConfigMap if needed
if [[ ! -z $GITHUB_CA_CERT_PEM_FILE ]] && [[ -f $GITHUB_CA_CERT_PEM_FILE ]]; then
# Check for existing CA Cert ConfigMap
oc get configmap github-ca-config-map -n openshift-config >/dev/null 2>&1
if [[ $? == 1 ]]; then
if [[ $1 == "--commit" ]]; then
echo "===== Creating GitHub CA Cert ConfigMap..."
oc create configmap github-ca-config-map --from-file=ca.crt=$GITHUB_CA_CERT_PEM_FILE -n openshift-config
else
echo -e "\n===== Target YAML Modification:\n"
oc create configmap github-ca-config-map --from-file=ca.crt=$GITHUB_CA_CERT_PEM_FILE -n openshift-config --dry-run=client -o yaml
fi
fi
fi
# Template out the OAuth Config
sed "s|CLIENT_ID_HERE|${CLIENT_ID}|g" oauth-config.yaml.template > oauth-config.yaml
echo "" >> oauth-config.yaml
# Add Hostname
if [[ ! -z "$GITHUB_HOSTNAME" ]]; then
echo " hostname: ${GITHUB_HOSTNAME}" >> oauth-config.yaml
fi
# Add CA Certificate definition
if [[ ! -z $GITHUB_CA_CERT_PEM_FILE ]] && [[ -f $GITHUB_CA_CERT_PEM_FILE ]]; then
echo " ca:" >> oauth-config.yaml
echo " name: github-ca-config-map" >> oauth-config.yaml
fi
# Add Organization Filters
if [[ ${#GITHUB_ORG_ARRAY[@]} -gt 0 ]]; then
echo " organizations:" >> oauth-config.yaml
for org in ${GITHUB_ORG_ARRAY[@]}; do
echo " - ${org}" >> oauth-config.yaml
done
fi
# Add Team Filters
if [[ ${#GITHUB_TEAMS_ARRAY[@]} -gt 0 ]]; then
echo " teams:" >> oauth-config.yaml
for team in ${GITHUB_TEAMS_ARRAY[@]}; do
echo " - ${team}" >> oauth-config.yaml
done
fi
# Take current OAuth cluster configuration
CURRENT_CLUSTER_CONFIG=$(oc get OAuth cluster -o yaml)
CURRENT_CONFIG_LEN=$(echo "$CURRENT_CLUSTER_CONFIG" | ${YQ_BIN} eval '.spec.identityProviders | length' -)
CURRENT_IDPs=""
CURRENT_IDP_NAMES=()
echo -e "\n===== Current Config (${CURRENT_CONFIG_LEN}):\n\n${CURRENT_CLUSTER_CONFIG}"
# Add current OAuth Identity Providers to an array
for ((n=0;n<$CURRENT_CONFIG_LEN;n++))
do
CUR_NAME=$(echo "$CURRENT_CLUSTER_CONFIG" | ${YQ_BIN} eval '.spec.identityProviders['$n'].name' -)
echo "===== Found IDP: ${CUR_NAME}..."
CURRENT_IDP_NAMES=(${CURRENT_IDP_NAMES[@]} "$CUR_NAME")
CURRENT_IDPs="${CURRENT_IDPs}$(echo "$CURRENT_CLUSTER_CONFIG" | ${YQ_BIN} -o=json eval '.spec.identityProviders['$n']' -),"
done
containsElement $(cat oauth-config.yaml | ${YQ_BIN} eval '.spec.identityProviders[0].name' -) "${CURRENT_IDP_NAMES[@]}"
if [[ $? == 0 ]]; then
echo "This identity provider $(cat oauth-config.yaml | ${YQ_BIN} eval '.spec.identityProviders[0].name' -) looks to already be configured!"
exit 0
else
# Add the proposed IDP to the array
CURRENT_IDPs="[${CURRENT_IDPs}$(cat oauth-config.yaml | ${YQ_BIN} -o=json eval '.spec.identityProviders[0]' -)]"
# Apply the joined configuration
echo "Adding GitHub OAuth to OAuth cluster configuration..."
PATCH_CONTENTS='{"spec": { "identityProviders": '${CURRENT_IDPs}' }}'
if [[ $1 == "--commit" ]]; then
echo "Writing configuration to cluster!"
oc patch OAuth cluster --type merge --patch "$PATCH_CONTENTS"
else
echo -e "\n===== Target YAML Modification:\n"
oc patch OAuth cluster --type merge --patch "$PATCH_CONTENTS" --dry-run=client -o yaml
fi
fi
# Dry run mode
if [[ ! -z $1 ]]; then
if [[ $1 != "--commit" ]]; then
echo -e "\n======================================================================\nDry run - configuration NOT applied to cluster! Rerun with '--commit'\n======================================================================\n"
fi
else
echo -e "\n======================================================================\nDry run - configuration NOT applied to cluster! Rerun with '--commit'\n======================================================================\n"
fi
echo -e "\nFinished provisioning GitHub OAuth Identity Provider for OpenShift!\n\n"
exit 0
else
echo "Not logged into an OpenShift cluster with `oc` CLI!"
exit 1
fi