github.com/kyma-project/kyma-environment-broker@v0.0.1/resources/kcp/templates/registration-job.yaml (about) 1 {{- if and .Values.global.provisioning.enabled .Values.global.compass.registration.enabled -}} 2 apiVersion: v1 3 kind: ServiceAccount 4 metadata: 5 name: {{ template "fullname" . }}-registration 6 namespace: {{ .Release.Namespace }} 7 --- 8 apiVersion: rbac.authorization.k8s.io/v1 9 kind: RoleBinding 10 metadata: 11 name: {{ template "fullname" . }}-registration 12 namespace: {{ .Release.Namespace }} 13 roleRef: 14 apiGroup: rbac.authorization.k8s.io 15 kind: Role 16 name: {{ template "fullname" . }}-registration 17 subjects: 18 - kind: ServiceAccount 19 name: {{ template "fullname" . }}-registration 20 namespace: {{ .Release.Namespace }} 21 --- 22 apiVersion: rbac.authorization.k8s.io/v1 23 kind: Role 24 metadata: 25 name: {{ template "fullname" . }}-registration 26 namespace: {{ .Release.Namespace }} 27 rules: 28 - apiGroups: ["*"] 29 resources: ["secrets"] 30 verbs: ["create", "get"] 31 --- 32 apiVersion: batch/v1 33 kind: Job 34 metadata: 35 name: {{ template "fullname" . }}-registration 36 namespace: {{ .Release.Namespace }} 37 annotations: 38 "helm.sh/hook": post-install, post-upgrade 39 "helm.sh/hook-weight": "1" 40 "helm.sh/hook-delete-policy": before-hook-creation 41 spec: 42 backoffLimit: 0 43 template: 44 metadata: 45 name: {{ template "fullname" . }}-registration 46 spec: 47 serviceAccountName: {{ template "fullname" . }}-registration 48 restartPolicy: Never 49 containers: 50 - name: {{ template "fullname" . }}-registration 51 image: europe-docker.pkg.dev/kyma-project/prod/tpi/k8s-tools:v20230330-fdf134f3 52 command: 53 - bash 54 - -c 55 - | 56 MAX_RETRIES=60 57 DIRECTOR_URL=http://compass-director.compass-system.svc.cluster.local:3000/graphql 58 DIRECTOR_HEALTHZ_URL=http://compass-director.compass-system.svc.cluster.local:3000/healthz 59 60 SCOPES="runtime:write runtime:read integration_system:read integration_system:write integration_system.auths:read" 61 TOKEN_PAYLOAD='{"scopes": "'${SCOPES}'","tenant":"{{ .Values.global.defaultTenant }}"}' 62 ENCODED_TOKEN_PAYLOAD=$(echo -e ${TOKEN_PAYLOAD} | base64 | tr -d \\n) 63 INTERNAL_TOKEN="eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.${ENCODED_TOKEN_PAYLOAD//=}." 64 PROVISIONER_SECRET_NAME={{ .Values.global.provisioner.secrets.integrationSystemCredentials.name }} 65 BROKER_SECRET_NAME={{ .Values.global.kyma_environment_broker.secrets.integrationSystemCredentials.name }} 66 67 function wait_for_access_to_api_server() { 68 local cnt=0 69 set +o errexit 70 while : 71 do 72 kubectl version > /dev/null 2>&1 73 if [[ $? -eq 0 ]]; then 74 echo "Successfully accessed API Server" 75 break 76 else 77 ((cnt++)) 78 if (( cnt > $MAX_RETRIES )); then 79 echo "Max retries has been reached (retries $MAX_RETRIES). Exit." 80 exit 1 81 fi 82 83 echo "Cannot access API Server waiting 5s..." 84 sleep 5 85 fi 86 done 87 set -o errexit 88 } 89 90 function director_readiness() { 91 local cnt=0 92 set +o errexit 93 while : 94 do 95 RESPONSE_CODE=$(curl -k -s "${DIRECTOR_HEALTHZ_URL}" \ 96 --write-out "%{http_code}\n" --output /dev/null) 97 if [[ "$RESPONSE_CODE" == "200" ]] 98 then 99 echo "Director ready." 100 break 101 else 102 ((cnt++)) 103 if (( cnt > $MAX_RETRIES )); then 104 echo "Max retries has been reached (retries $MAX_RETRIES). Exit." 105 exit 1 106 fi 107 108 echo "Director not ready! StatusCode: '${RESPONSE_CODE}' - waiting 5s..." 109 sleep 5 110 fi 111 done 112 set -o errexit 113 } 114 115 function register_integration_system() { 116 set +o pipefail 117 118 NAME=$1 119 DESCRIPTION=$2 120 SECRET_NAME=$3 121 122 check_registeration_status $NAME 123 124 if [ -z $INTEGRATION_SYSTEM_ID ]; then 125 echo "Creating $NAME integration system - in progress." 126 127 RESPONSE_BODY=$(curl -k "${DIRECTOR_URL}" \ 128 -H 'Content-Type: application/json' \ 129 -H "authorization: Bearer ${INTERNAL_TOKEN}" \ 130 --data-binary '{ 131 "query":"mutation registerIntegrationSystem {\n result: registerIntegrationSystem(\n in: { name: \"'"$NAME"'\", description: \"'"$DESCRIPTION"'\" }\n ) {\n id\n }\n}\n" 132 }') 133 echo $RESPONSE_BODY 134 INTEGRATION_SYSTEM_ID=$(echo $RESPONSE_BODY | jq -er '.data .result .id') 135 fi 136 137 CREDENTIAL_RESPONSE_BODY=$(curl -k "${DIRECTOR_URL}" \ 138 -H 'Content-Type: application/json' \ 139 -H 'Accept: application/json' \ 140 -H 'Connection: keep-alive' \ 141 -H "authorization: Bearer ${INTERNAL_TOKEN}" \ 142 --data-binary '{"query":"mutation requestCredentials {\n\trequestClientCredentialsForIntegrationSystem (id : \"'"$INTEGRATION_SYSTEM_ID"'\") {\n id\n auth {\n credential {\n ... on BasicCredentialData {\n username\n password\n }\n ... on OAuthCredentialData {\n clientId\n clientSecret\n url\n }\n }\n }\n }\n}\n" 143 }') 144 145 CLIENT_ID=$(echo $CREDENTIAL_RESPONSE_BODY | jq -er '.data .requestClientCredentialsForIntegrationSystem .auth .credential .clientId') 146 CLIENT_SECRET=$(echo $CREDENTIAL_RESPONSE_BODY | jq -er '.data .requestClientCredentialsForIntegrationSystem .auth .credential .clientSecret') 147 TOKENS_ENDPOINT=$(echo $CREDENTIAL_RESPONSE_BODY | jq -er '.data .requestClientCredentialsForIntegrationSystem .auth .credential .url') 148 149 kubectl create secret generic ${SECRET_NAME} --from-literal=client_id=$CLIENT_ID --from-literal=client_secret=$CLIENT_SECRET --from-literal=tokens_endpoint=$TOKENS_ENDPOINT -n {{ .Release.Namespace }} 150 151 echo "$NAME integration system registration and requesting credentials - finished." 152 set -o pipefail 153 } 154 155 function ensure_secret() { 156 set +o errexit 157 NAME=$1 158 DESCRIPTION=$2 159 SECRET_NAME=$3 160 161 kubectl get secret ${SECRET_NAME} -n {{ .Release.Namespace }} > /dev/null 2>&1 162 if [[ $? -ne 0 ]]; then 163 register_integration_system "$NAME" "$DESCRIPTION" "$SECRET_NAME" 164 else 165 echo "Secret ${SECRET_NAME} already exists." 166 fi 167 set -o errexit 168 } 169 170 function kill_proxy_and_exit() { 171 echo 'killing pilot-agent...' 172 curl -XPOST http://127.0.0.1:15020/quitquitquit 173 sleep 4 174 exit 0 175 } 176 177 function check_registeration_status() { 178 set +o pipefail 179 180 NAME=$1 181 182 echo "Checking if $NAME is already registered in integration system... " 183 184 INTEGRATION_SYSTEMS=$(curl -k "${DIRECTOR_URL}" \ 185 -H 'Content-Type: application/json' \ 186 -H "authorization: Bearer ${INTERNAL_TOKEN}" \ 187 --data-binary '{ 188 "query":"query {\n result: integrationSystems {\n data {\n id\n name\n description\n auths {\n id\n auth {\n credential {\n ... on BasicCredentialData {\n username\n password\n }\n ... on OAuthCredentialData {\n clientId\n clientSecret\n url\n }\n }\n additionalHeaders\n additionalQueryParams\n requestAuth {\n csrf {\n tokenEndpointURL\n credential {\n ... on BasicCredentialData {\n username\n password\n }\n ... on OAuthCredentialData {\n clientId\n clientSecret\n url\n }\n }\n additionalHeaders\n additionalQueryParams\n }\n }\n }\n }\n }\n pageInfo {\n startCursor\n endCursor\n hasNextPage\n }\n totalCount\n }\n}\n" 189 }') 190 191 INTEGRATION_SYSTEM_ID=$(echo $INTEGRATION_SYSTEMS | jq -r --arg name $NAME ' .data.result.data[] | select (.name == $name) | .id') 192 if [ ! -z $INTEGRATION_SYSTEM_ID ]; then 193 echo "$NAME is already registered in integration system with id: $INTEGRATION_SYSTEM_ID." 194 fi 195 196 set -o pipefail 197 } 198 199 trap kill_proxy_and_exit ERR EXIT 200 201 echo "Waiting for access to API Server..." 202 wait_for_access_to_api_server 203 204 echo "Checking if director is available..." 205 director_readiness 206 207 echo "Checking if provisioner secret with credentials exists..." 208 ensure_secret "kcp-provisioner" "KCP Provisioner" "$PROVISIONER_SECRET_NAME" 209 210 echo "Checking if broker secret with credentials exists..." 211 ensure_secret "kcp-kyma-environment-broker" "KCP Kyma Environment Broker" "$BROKER_SECRET_NAME" 212 {{ end }}