From e7c296061c72d2bda547a2dc0063b1e12329a747 Mon Sep 17 00:00:00 2001 From: Andrew Block Date: Thu, 4 Apr 2024 14:27:12 -0500 Subject: [PATCH] Updates to environment variable sourcing script Signed-off-by: Andrew Block --- tas-env-variables.sh | 55 +++++++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 13 deletions(-) diff --git a/tas-env-variables.sh b/tas-env-variables.sh index 206f6c14..cdec2c1d 100755 --- a/tas-env-variables.sh +++ b/tas-env-variables.sh @@ -3,17 +3,46 @@ # This assumes you are currently running from the context of the namespace where your securesign is created # Run `oc project ` to ensure you are working within the correct context -export TUF_URL=$(oc get tuf -o jsonpath='{.items[0].status.url}') -export OIDC_ISSUER_URL=https://$(oc get route keycloak -n keycloak-system | tail -n 1 | awk '{print $2}')/auth/realms/trusted-artifact-signer -export COSIGN_FULCIO_URL=$(oc get fulcio -o jsonpath='{.items[0].status.url}') -export COSIGN_REKOR_URL=$(oc get rekor -o jsonpath='{.items[0].status.url}') -export COSIGN_MIRROR=$TUF_URL -export COSIGN_ROOT=$TUF_URL/root.json -export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL -export COSIGN_OIDC_CLIENT_ID=trusted-artifact-signer -export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL +# Initialize Variables +export BASE_HOSTNAME=$(kubectl get cm -n openshift-config-managed console-public -o go-template="{{ .data.consoleURL }}" | sed 's@https://@@; s/^[^.]*\.//') +export KEYCLOAK_NAMESPACE="${KEYCLOAK_NAMESPACE:=keycloak-system}" + +export KEYCLOAK_CLIENT_ID="${KEYCLOAK_CLIENT_ID:=trusted-artifact-signer}" +export KEYCLOAK_REALM="${KEYCLOAK_REALM:=trusted-artifact-signer}" +export KEYCLOAK_HOSTNAME="${KEYCLOAK_HOSTNAME:=$(kubectl get keycloak -n ${KEYCLOAK_NAMESPACE} -o jsonpath='{.items[*].status.externalURL}')}" +export OIDC_ISSUER_URL="${OIDC_ISSUER_URL:=${KEYCLOAK_HOSTNAME}/auth/realms/${KEYCLOAK_REALM}}" + +if [[ `kubectl api-resources -o name | grep securesigns.rhtas.redhat.com` ]]; then + CURRENT_NAMESPACE="${RHTAS_NAMESPACE:=$(kubectl config view --minify -o jsonpath='{..namespace}')}" + + # Ensure Securesign resource has been created + SECURESIGN_NAME=$(kubectl get securesign -n ${CURRENT_NAMESPACE} -o name | head -1) + if [[ -z "${SECURESIGN_NAME}" ]]; then + echo "Error: Securesign resource not created in namespace \"${CURRENT_NAMESPACE}\"" + return + fi + + TUF_URL=$(kubectl get tuf -o jsonpath='{.items[0].status.url}' -n ${CURRENT_NAMESPACE}) + REKOR_URL=$(kubectl get rekor -o jsonpath='{.items[0].status.url}' -n ${CURRENT_NAMESPACE}) + FULCIO_URL=$(kubectl get fulcio -o jsonpath='{.items[0].status.url}' -n ${CURRENT_NAMESPACE}) +else + # Set Values for Helm Chart deployment + TUF_URL="${TUF_URL:=https://tuf.${BASE_HOSTNAME}}" + FULCIO_URL="${FULCIO_URL:=https://fulcio.${BASE_HOSTNAME}}" + REKOR_URL="${REKOR_URL:=https://rekor.${BASE_HOSTNAME}}" +fi + +# Common Variables +export COSIGN_FULCIO_URL="${FULCIO_URL}" +export COSIGN_REKOR_URL="${REKOR_URL}" +export COSIGN_MIRROR="${TUF_URL}" +export COSIGN_ROOT="${TUF_URL}/root.json" +export COSIGN_OIDC_ISSUER="${OIDC_ISSUER_URL}" +export COSIGN_OIDC_CLIENT_ID="${KEYCLOAK_CLIENT_ID}" +export COSIGN_CERTIFICATE_OIDC_ISSUER="${OIDC_ISSUER_URL}" export COSIGN_YES="true" -export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL -export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER -export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL -export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL +export SIGSTORE_FULCIO_URL="${FULCIO_URL}" +export SIGSTORE_OIDC_CLIENT_ID="${KEYCLOAK_CLIENT_ID}" +export SIGSTORE_OIDC_ISSUER="${OIDC_ISSUER_URL}" +export SIGSTORE_REKOR_URL="${REKOR_URL}" +export REKOR_REKOR_SERVER="${REKOR_URL}"