From 48f313e7b9adfdf2980da7a5b29b988c6cd09fdc Mon Sep 17 00:00:00 2001
From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
Date: Tue, 30 Jan 2024 13:50:46 -0800
Subject: [PATCH] feat: adds script to setup OIDC issuer (#1209)

Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com>
---
 .../oidc-issuer/discovery-document.md         |   4 +-
 scripts/wi-kind-setup.sh                      | 151 ++++++++++++++++++
 2 files changed, 153 insertions(+), 2 deletions(-)
 create mode 100755 scripts/wi-kind-setup.sh

diff --git a/docs/book/src/installation/self-managed-clusters/oidc-issuer/discovery-document.md b/docs/book/src/installation/self-managed-clusters/oidc-issuer/discovery-document.md
index 413192780..e33854113 100644
--- a/docs/book/src/installation/self-managed-clusters/oidc-issuer/discovery-document.md
+++ b/docs/book/src/installation/self-managed-clusters/oidc-issuer/discovery-document.md
@@ -15,8 +15,8 @@ az group create --name "${RESOURCE_GROUP}" --location "${LOCATION}"
 
 export AZURE_STORAGE_ACCOUNT="oidcissuer$(openssl rand -hex 4)"
 export AZURE_STORAGE_CONTAINER="oidc-test"
-az storage account create --resource-group "${RESOURCE_GROUP}" --name "${AZURE_STORAGE_ACCOUNT}"
-az storage container create --name "${AZURE_STORAGE_CONTAINER}" --public-access container
+az storage account create --resource-group "${RESOURCE_GROUP}" --name "${AZURE_STORAGE_ACCOUNT}" --allow-blob-public-access true
+az storage container create --name "${AZURE_STORAGE_CONTAINER}" --public-access blob
 ```
 
 ### 2. Generate the discovery document
diff --git a/scripts/wi-kind-setup.sh b/scripts/wi-kind-setup.sh
new file mode 100755
index 000000000..bc431fdc2
--- /dev/null
+++ b/scripts/wi-kind-setup.sh
@@ -0,0 +1,151 @@
+#!/usr/bin/env bash
+
+# This script requires the following tools:
+# - azure-cli : This is used for interacting with Azure services.
+# - kind      : This is required if you need a kind cluster.
+# - kubectl   : This is required and the context should be configured to the cluster if SKIP_CLUSTER=true.
+# - openssl   : This is used to generate a random string.
+# - jq        : This is used to process JSON data.
+# 
+# Note: A kind cluster with the same name will be deleted if it already exists.
+# Please ensure you have these tools installed and configured correctly before running this script.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SCRIPT_PATH="$(dirname "${BASH_SOURCE[0]}")"
+KIND_CLUSTER_NAME="azure-workload-identity"
+KIND_IMAGE_VERSION="${KIND_IMAGE_VERSION:-v1.29.0}"
+
+help() {
+    echo "Usage: $0 [LOCATION] [RESOURCE_GROUP]"
+    echo
+    echo "Arguments:"
+    echo "  LOCATION        The location for the Azure resources."
+    echo "  RESOURCE_GROUP  The resource group for the Azure resources."
+    echo
+    echo "Environment variables:"
+    echo "  SKIP_CLUSTER            If set to 'true', the script will skip the kind cluster creation. Default: false"
+    echo "  KIND_CLUSTER_NAME       The name of the kind cluster. Default: ${KIND_CLUSTER_NAME}"
+    echo "  KIND_IMAGE_VERSION      The version of the kind image. Default: ${KIND_IMAGE_VERSION}"
+    echo
+    echo "This script requires the following tools:"
+    echo "  - azure-cli : This is used for interacting with Azure services."
+    echo "  - kind      : This is required if you need a kind cluster."
+    echo "  - kubectl   : This is required and the context should be configured to the cluster if SKIP_CLUSTER=true."
+    echo "  - openssl   : This is used to generate a random string."
+    echo "  - jq        : This is used to process JSON data."
+    echo 
+    echo "Note: A kind cluster with the same name will be deleted if it already exists."
+    echo "Please ensure you have these tools installed and configured correctly before running this script."
+}
+
+if [[ "$1" == "-h" || "$1" == "--help" ]]; then
+    help
+    exit 0
+fi
+
+LOCATION="${1}"
+RESOURCE_GROUP="${2}"
+AZURE_STORAGE_ACCOUNT="oidcissuer$(openssl rand -hex 4)"
+AZURE_STORAGE_CONTAINER="oidc"
+SERVICE_ACCOUNT_ISSUER="https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/"
+
+validate() {
+    # check if user is logged into azure cli
+    if ! az account show > /dev/null 2>&1; then
+        echo "Please login to Azure CLI using 'az login'"
+        exit 1
+    fi
+
+    # check if RESOURCE_GROUP and LOCATION are provided
+    if [ -z "${RESOURCE_GROUP:-}" ] || [ -z "${LOCATION:-}" ]; then
+        echo "RESOURCE_GROUP and LOCATION are required."
+        exit 1
+    fi
+}
+
+create_azure_blob_storage_account() {
+    if [ "$(az group exists --name "${RESOURCE_GROUP}" --output tsv)" == 'false' ]; then
+        echo "Creating resource group '${RESOURCE_GROUP}' in '${LOCATION}'"
+        az group create --name "${RESOURCE_GROUP}" --location "${LOCATION}" --output none --only-show-errors
+    fi
+
+    if ! az storage account show --name "${AZURE_STORAGE_ACCOUNT}" --resource-group "${RESOURCE_GROUP}" > /dev/null 2>&1; then
+        echo "Creating storage account '${AZURE_STORAGE_ACCOUNT}' in '${RESOURCE_GROUP}'"
+        az storage account create --resource-group "${RESOURCE_GROUP}" --name "${AZURE_STORAGE_ACCOUNT}" --allow-blob-public-access true --output none --only-show-errors
+    fi
+
+    if ! az storage container show --name "${AZURE_STORAGE_CONTAINER}" --account-name "${AZURE_STORAGE_ACCOUNT}" > /dev/null 2>&1; then
+        echo "Creating storage container '${AZURE_STORAGE_CONTAINER}' in '${AZURE_STORAGE_ACCOUNT}'"
+        az storage container create --name "${AZURE_STORAGE_CONTAINER}" --account-name "${AZURE_STORAGE_ACCOUNT}" --public-access blob --output none --only-show-errors
+    fi
+}
+
+upload_openid_docs(){    
+    cat <<EOF > "${SCRIPT_PATH}/openid-configuration.json"
+{
+  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
+  "jwks_uri": "${SERVICE_ACCOUNT_ISSUER}openid/v1/jwks",
+  "response_types_supported": [
+    "id_token"
+  ],
+  "subject_types_supported": [
+    "public"
+  ],
+  "id_token_signing_alg_values_supported": [
+    "RS256"
+  ]
+}
+EOF
+
+    echo "Uploading openid-configuration document to '${AZURE_STORAGE_ACCOUNT}' storage account"
+    upload_to_blob "${AZURE_STORAGE_CONTAINER}" "${SCRIPT_PATH}/openid-configuration.json" ".well-known/openid-configuration"
+
+    echo "Getting public signing key from the cluster"
+    kubectl get --raw /openid/v1/jwks | jq > "${SCRIPT_PATH}/jwks.json"
+    echo "Uploading jwks document to '${AZURE_STORAGE_ACCOUNT}' storage account"
+    upload_to_blob "${AZURE_STORAGE_CONTAINER}" "${SCRIPT_PATH}/jwks.json" "openid/v1/jwks"
+}
+
+upload_to_blob() {
+    local container_name=$1
+    local file_path=$2
+    local blob_name=$3
+
+    echo "Uploading ${file_path} to '${AZURE_STORAGE_ACCOUNT}' storage account"
+    az storage blob upload \
+        --container-name "${container_name}" \
+        --file "${file_path}" \
+        --name "${blob_name}" \
+        --account-name "${AZURE_STORAGE_ACCOUNT}" \
+        --output none --only-show-errors
+}
+
+create_kind_cluster() {
+    if [ "${SKIP_CLUSTER:-}" = "true" ]; then
+        echo "Skipping cluster creation"
+        return
+    fi
+
+    echo "Creating kind cluster"    
+    kind delete cluster --name "${KIND_CLUSTER_NAME}"
+    cat <<EOF | kind create cluster --name ${KIND_CLUSTER_NAME} --image kindest/node:"${KIND_IMAGE_VERSION}" --config=-
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- role: control-plane
+  kubeadmConfigPatches:
+  - |
+    kind: ClusterConfiguration
+    apiServer:
+      extraArgs:
+        service-account-issuer: ${SERVICE_ACCOUNT_ISSUER}
+EOF
+}
+
+validate "$@"
+create_kind_cluster
+create_azure_blob_storage_account "$@"
+upload_openid_docs