-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathget-secrets
More file actions
executable file
·103 lines (88 loc) · 3.92 KB
/
get-secrets
File metadata and controls
executable file
·103 lines (88 loc) · 3.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/usr/bin/env python3
""" Github Actions Secrets Generator
This script generates CLUSTER_TOKEN and API_SERVER for Github Actions
Takes two arguments: --token and --server, which aligns with `oc login` command.
"""
import argparse
import subprocess
import sys
import os
import re
import urllib.parse
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--token", dest="token", type=str, required=True,
help="oc login token")
parser.add_argument("-s", "--server", dest="server", type=str, required=True,
help="OpenShift server URL")
args = parser.parse_args()
out = subprocess.run(["oc", "login", "--insecure-skip-tls-verify", f"--token={args.token}", f"--server={args.server}"], capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error logging in with `oc login`: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
else:
print(out.stdout.decode("utf-8"), file=sys.stderr)
cwd = os.path.dirname(__file__)
out = subprocess.run(["oc", "delete", "-k", cwd+"/config/overlays/prod/"], capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error deleting existing service account, roles, and role bindings: {err}"
print(msg, file=sys.stderr)
else:
print(out.stdout.decode("utf-8"), file=sys.stderr)
out = subprocess.run(["oc", "apply", "-k", cwd+"/config/overlays/prod/"], capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error creating new service account, roles, and role bindings: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
else:
print(out.stdout.decode("utf-8"), file=sys.stderr)
out = subprocess.run(["oc", "get", "sa", "chart-verifier-admin", "-n", "prod-chart-verifier-infra", "-o", "yaml"], capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error getting token secret from service account: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
else:
print(out.stdout.decode("utf-8"), file=sys.stderr)
pattern = re.compile(r"chart\-verifier\-admin\-token\-[\w]+")
secret = pattern.search(out.stdout.decode("utf-8"))
if not secret:
msg = f"[ERROR] Error finding token secret under service account"
print(msg)
sys.exit(1)
out = subprocess.run(["oc", "get", "secret", secret.group(), "-n", "prod-chart-verifier-infra", "-o", "yaml"], capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error getting cluster token secret: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
print(urllib.parse.unquote(out.stdout.decode("utf-8")))
out = subprocess.run(["yq", "e", ".data.token", "-"], input=out.stdout, capture_output=True)
out = subprocess.run(["base64", "-d", "-"], input=out.stdout, capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error base64 decoding cluster token: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
cluster_token = out.stdout.decode("utf-8")
out = subprocess.run(["echo", "-n", args.server], capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error base64 encoding api server URL: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
out = subprocess.run(["base64", "-w", "0"], input=out.stdout, capture_output=True)
err = out.stderr.decode("utf-8")
if err.strip():
msg = f"[ERROR] Error base64 encoding api server URL: {err}"
print(msg, file=sys.stderr)
sys.exit(1)
encoded_api_server = out.stdout.decode("utf-8")
print(f"CLUSTER_TOKEN: {cluster_token}\n")
print(f"API_SERVER: {encoded_api_server}")
if __name__ == "__main__":
main()