k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/workload-identity/enable-workload-identity.sh

k8s.io/test-infra@v0.0.0-20240520184403-27c6b4c223d8/workload-identity/enable-workload-identity.sh (about)

     1  #!/usr/bin/env bash
     2  # Copyright 2020 The Kubernetes Authors.
     3  #
     4  # Licensed under the Apache License, Version 2.0 (the "License");
     5  # you may not use this file except in compliance with the License.
     6  # You may obtain a copy of the License at
     7  #
     8  #     http://www.apache.org/licenses/LICENSE-2.0
     9  #
    10  # Unless required by applicable law or agreed to in writing, software
    11  # distributed under the License is distributed on an "AS IS" BASIS,
    12  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  # See the License for the specific language governing permissions and
    14  # limitations under the License.
    15  
    16  
    17  set -o nounset
    18  set -o errexit
    19  set -o pipefail
    20  
    21  # Enables workload identity on a cluster
    22  
    23  if [[ $# != 3 ]]; then
    24    echo "Usage: $(basename "$0") <project> <zone_or_region> <cluster>" >&2
    25    exit 1
    26  fi
    27  
    28  # Require bash version >= 4.4
    29  if ((${BASH_VERSINFO[0]}<4)) || ( ((${BASH_VERSINFO[0]}==4)) && ((${BASH_VERSINFO[1]}<4)) ); then
    30    echo "ERROR: This script requires a minimum bash version of 4.4, but got version of ${BASH_VERSINFO[0]}.${BASH_VERSINFO[1]}"
    31    if [ "$(uname)" = 'Darwin' ]; then
    32      echo "On macOS with homebrew 'brew install bash' is sufficient."
    33    fi
    34    exit 1
    35  fi
    36  
    37  project=$1
    38  zone=$2
    39  cluster=$3
    40  
    41  
    42  cluster_namespace="$project.svc.id.goog"
    43  pool_metadata=GKE_METADATA
    44  
    45  
    46  call-gcloud() {
    47    (
    48      set -o xtrace
    49      # gcloud container accepts region or zone for either argument
    50      gcloud beta container "$@" "--project=$project" "--zone=$zone"
    51    )
    52  }
    53  
    54  
    55  cluster-identity() {
    56    call-gcloud clusters describe "$cluster" --format='value(workloadIdentityConfig.identityNamespace)'
    57  }
    58  
    59  pool-identities() {
    60    call-gcloud node-pools list "--cluster=$cluster" --format='value(name)' \
    61      --filter="config.workloadMetadataConfig.mode != $pool_metadata"
    62  }
    63  
    64  fix_service=
    65  service=iamcredentials.googleapis.com
    66  
    67  if [[ -z "$(gcloud services list "--project=$project" --filter "name:/$service")" ]]; then
    68    fix_service=yes
    69  fi
    70  
    71  fix_cluster=
    72  
    73  actual=$(cluster-identity)
    74  if [[ "$actual" != "$cluster_namespace" ]]; then
    75    fix_cluster=yes
    76  fi
    77  
    78  fix_pools=($(pool-identities))
    79  
    80  if [[ -z "$fix_service" && -z "$fix_cluster" && ${#fix_pools[@]} == 0 ]]; then
    81    echo "Nothing to do"
    82    exit 0
    83  fi
    84  
    85  echo "Enable workload identity on:"
    86  if [[ -n "$fix_service" ]]; then
    87    echo "  project: $project"
    88  fi
    89  if [[ -n "$fix_cluster" ]]; then
    90    echo "  cluster: $cluster"
    91  fi
    92  for pool in "${fix_pools[@]}"; do
    93    echo "  pool: $pool"
    94  done
    95  
    96  read -p "Proceed [y/N]:" ans
    97  case $ans in
    98    y*|Y*)
    99      ;;
   100    *)
   101      echo "ABORTING" >&2
   102      exit 1
   103      ;;
   104  esac
   105  
   106  if [[ -n "$fix_service" ]]; then
   107    gcloud services enable "--project=$project" "$service"
   108  fi
   109  
   110  if [[ -n "$fix_cluster" ]]; then
   111    call-gcloud clusters update "$cluster" "--workload-pool=$cluster_namespace"
   112  fi
   113  
   114  for pool in "${fix_pools[@]}"; do
   115    call-gcloud node-pools update --cluster="$cluster" "$pool" "--workload-metadata=$pool_metadata"
   116  done
   117  
   118  echo "DONE"