github.com/verrazzano/verrazzano@v1.7.1/tools/scripts/create-test-kube-client.sh

github.com/verrazzano/verrazzano@v1.7.1/tools/scripts/create-test-kube-client.sh (about)

     1  #!/usr/bin/env bash
     2  #
     3  # Copyright (c) 2021, 2022, Oracle and/or its affiliates.
     4  # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
     5  #
     6  
     7  if [[ -z "${TEST_KUBECONFIG}" ]]; then
     8      echo "TEST_KUBECONFIG is undefined."
     9      exit 1
    10  fi
    11  
    12  if [[ -z "${TEST_NAMESPACE}" ]]; then
    13      echo "TEST_NAMESPACE is undefined."
    14      exit 1
    15  fi
    16  
    17  if [[ -z "${TEST_ID}" ]]; then
    18      echo "TEST_ID is undefined."
    19      exit 1
    20  fi
    21  
    22  if [[ -z "${PROJECT_ADMIN_ROLE}" ]]; then
    23      echo "PROJECT_ADMIN_ROLE is undefined."
    24      exit 1
    25  fi
    26  
    27  if [[ -z "${TEST_ROLE}" ]]; then
    28      echo "TEST_ROLE is undefined."
    29      exit 1
    30  fi
    31  
    32  if ! role="$(kubectl get clusterrole "$TEST_ROLE" -o 'jsonpath={.metadata.name}' 2>/dev/null)"; then
    33    echo "clusterrole \"$TEST_ROLE\" not found."
    34    exit 2
    35  fi
    36  
    37  if ! role="$(kubectl get clusterrole "$PROJECT_ADMIN_ROLE" -o 'jsonpath={.metadata.name}' 2>/dev/null)"; then
    38    echo "clusterrole \"$PROJECT_ADMIN_ROLE\" not found."
    39    exit 2
    40  fi
    41  
    42  kubectl create ns ${TEST_NAMESPACE}
    43  kubectl -n ${TEST_NAMESPACE} create serviceaccount ${TEST_ID}-sa
    44  kubectl -n verrazzano-system create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    45  kubectl -n istio-system create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    46  kubectl -n cert-manager create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    47  kubectl -n cattle-system create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    48  kubectl -n ingress-nginx create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    49  kubectl -n keycloak create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    50  kubectl -n ${TEST_NAMESPACE} create rolebinding ${TEST_ID}-${TEST_ROLE}-binding --clusterrole=${TEST_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    51  kubectl -n ${TEST_NAMESPACE} create rolebinding ${TEST_ID}-${PROJECT_ADMIN_ROLE}-binding --clusterrole=${PROJECT_ADMIN_ROLE} --serviceaccount=${TEST_NAMESPACE}:${TEST_ID}-sa
    52  # In k8s 1.24 and later, secret is not created for service account. Create a service account token secret and get the
    53  #	token from the same.
    54  secret=${TEST_ID}-sa-token
    55  kubectl -n ${TEST_NAMESPACE} apply -f <<EOF -
    56    apiVersion: v1
    57    kind: Secret
    58    metadata:
    59      name: ${secret}
    60      annotations:
    61        kubernetes.io/service-account.name: ${TEST_ID}-sa
    62    type: kubernetes.io/service-account-token
    63  EOF
    64  
    65  echo "Creating test kubeconfig at ${TEST_KUBECONFIG}"
    66  export OLD_KUBECONFIG=${KUBECONFIG}
    67  cp ${KUBECONFIG} /tmp/${TEST_ID}-kubeconfig
    68  export KUBECONFIG=/tmp/${TEST_ID}-kubeconfig
    69  context="$(kubectl config current-context)"
    70  cluster="$(kubectl config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")"
    71  server="$(kubectl config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")"
    72  ca_crt_data="$(kubectl -n $TEST_NAMESPACE get secret "$secret" -o "jsonpath={.data.ca\.crt}" | openssl enc -d -base64 -A)"
    73  namespace="$(kubectl -n $TEST_NAMESPACE get secret "$secret" -o "jsonpath={.data.namespace}" | openssl enc -d -base64 -A)"
    74  token="$(kubectl -n $TEST_NAMESPACE get secret "$secret" -o "jsonpath={.data.token}" | openssl enc -d -base64 -A)"
    75  
    76  touch ${TEST_KUBECONFIG}
    77  kubectl --kubeconfig=${TEST_KUBECONFIG} config set-credentials "${TEST_ID}-sa" --token="$token" >/dev/null
    78  ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt
    79  kubectl --kubeconfig=${TEST_KUBECONFIG} config set-cluster "$cluster" --server="$server" --certificate-authority="$ca_crt" --embed-certs >/dev/null
    80  kubectl --kubeconfig=${TEST_KUBECONFIG} config set-context "$context" --cluster="$cluster" --namespace="$namespace" --user="${TEST_ID}-sa" >/dev/null
    81  kubectl --kubeconfig=${TEST_KUBECONFIG} config use-context "$context" >/dev/null
    82  echo "Test kubeconfig ${TEST_KUBECONFIG} created."
    83  rm -rf /tmp/${TEST_ID}-kubeconfig
    84  export KUBECONFIG=$OLD_KUBECONFIG