-
Notifications
You must be signed in to change notification settings - Fork 1
/
01-deploy.sh
executable file
·91 lines (65 loc) · 3.19 KB
/
01-deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/bash
export VAULT_KNS="vault"
export TKNS="tektoncd"
if [ -f "$HOME/.terraform.d/credentials.tfrc.json" ];then
export TOKEN="$(cat $HOME/.terraform.d/credentials.tfrc.json | awk -F': ' '/token/ {print $NF}' | tr -d "\"")"
else
echo -e "\nTerraform credentials not found. Consider doing \"terraform login\" next time...\n"
read -s -p "Insert your Terraform Cloud user API Token: " TOKEN
fi
if ! which jq > /dev/null;then
echo -e "\nThis script needs \"jq\" to parse JSON outputs. Please, install \"jq\"..."
exit 1
fi
if [ -z "$1" ] || [ -z "$2" ];then
echo -e "\nPlease type your Terraform Cloud Org and Terraform Cloud user as parameters: \n"
echo -e "\t $0 <YOUR_TFC_ORG> <YOUR_TFC_USERNAME> \n"
exit 1
fi
export TEAMID="$(curl \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/vnd.api+json" \
https://app.terraform.io/api/v2/organizations/$1/teams \
| jq -r '.data[] | select(.attributes.name == "owners") | .id')"
export TFUSERID="$(curl \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/vnd.api+json" \
"https://app.terraform.io/api/v2/teams/$TEAMID?include=users" \
| jq -r ".included[] | select(.attributes.username == \"$2\") | .id")"
echo -e "\nTerraform Cloud Team ID for Owners at organization $1: $TEAMID"
echo -e "\nTerraform Cloud User ID for user $2: $TFUSERID\n"
# Deploy Vault SA for JWT Token Review, Tekton pipelines service account and Vault Agent ConfigMap
kubectl apply -f ./config
#kubectl create sa tekton -n $TKNS
# Configuring Vault
export VAULT_SA_NAME="$(kubectl get sa vault-auth -n default \
--output go-template='{{ range .secrets }}{{ .name }}{{ end }}')"
export SA_JWT_TOKEN="$(kubectl get secret $VAULT_SA_NAME -n default \
--output 'go-template={{ .data.token }}' | base64 --decode)"
export SA_CA_CRT=$(kubectl get secret $VAULT_SA_NAME \
-o go-template='{{ index .data "ca.crt" }}' | base64 -d; echo)
export K8S_HOST="$(kubectl exec -ti vault-0 -n vault -- printenv KUBERNETES_SERVICE_HOST | tr -d '\r')"
export K8S_PORT=$(kubectl exec -ti vault-0 -n vault -- printenv KUBERNETES_SERVICE_PORT | tr -d '\r')
kubectl exec -i vault-0 -n $VAULT_KNS -- vault policy write tektonpol - <<EOF
path "secret/data/cicd/*" {
capabilities = ["read","update","list"]
}
path "terraform/creds/*" {
capabilities = ["read","list"]
}
EOF
kubectl exec vault-0 -n $VAULT_KNS -- vault auth enable kubernetes
kubectl exec vault-0 -n $VAULT_KNS -- vault write auth/kubernetes/config \
token_reviewer_jwt="$SA_JWT_TOKEN" \
kubernetes_host="https://$K8S_HOST:$K8S_PORT" \
kubernetes_ca_cert="$SA_CA_CRT" \
issuer="https://kubernetes.default.svc.cluster.local"
kubectl exec vault-0 -n $VAULT_KNS -- vault write auth/kubernetes/role/tekton \
bound_service_account_names="tekton-sa","vault-auth","default"\
bound_service_account_namespaces="tekton-pipelines","default" \
policies="tektonpol" \
token_no_default_policy=false \
token_ttl="1m"
kubectl exec vault-0 -n $VAULT_KNS -- vault secrets enable terraform
kubectl exec vault-0 -n $VAULT_KNS -- vault write terraform/config token="$TOKEN"
kubectl exec vault-0 -n $VAULT_KNS -- vault write terraform/role/tekton user_id=$TFUSERID ttl=10m