-
Notifications
You must be signed in to change notification settings - Fork 29
/
aro4-aad-connect.sh
executable file
·164 lines (150 loc) · 5.38 KB
/
aro4-aad-connect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
#!/bin/bash
# Written by Stuart Kirk with significant content from Jules Ouellette & Ahmed Sabbour
# stuart.kirk@microsoft.com, jules.ouellette@microsoft.com, asabbour@microsoft.com
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
# NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
echo " "
echo " "
echo "Connecting Azure Red Hat OpenShift to Azure Active Directory"
if [ $# -ne 2 ]; then
echo "Usage: $BASH_SOURCE <ARO Cluster Name> <ARO Resource Group Name>"
exit 1
fi
echo "I will attempt to connect Azure Red Hat OpenShift to Azure Active Directory."
echo "*** Please note if your ARO cluster uses a custom domain, the console and app addresses must resolve prior to running this script ***"
echo "ARO Cluster Name: $1"
echo "ARO Resource Group Name: $2"
echo "Shall I continue?"
PS3="Select a numbered option >> "
options=("Yes" "No")
select yn in "${options[@]}"
do
case $yn in
Yes ) break ;;
No ) echo "Well okay then."; exit ;;
esac
done
########## Set Variables
echo -n "Obtaining the variables I need..."
aroName="$1"
export aroName
echo -n "aroName, "
aroRG="$2"
export aroRG
echo -n "aroRG, "
dns="$(az aro show -g $aroRG -n $aroName -o json 2>/dev/null |jq -r '.clusterProfile.resourceGroupId' | cut -f5 -d/ |cut -f2 -d-)"
export dns
echo -n "dns, "
location="$(az aro show -g $aroRG -n $aroName --query location -o tsv 2> /dev/null)"
export location
echo -n "location, "
domain="$(az aro show -g $aroRG -n $aroName -o json 2>/dev/null |jq -r '.clusterProfile.domain')"
export domain
echo -n "domain, "
apiServer="$(az aro show -g $aroRG -n $aroName --query apiserverProfile.url -o tsv 2> /dev/null)"
export apiServer
echo -n "apiServer, "
webConsole="$(az aro show -g $aroRG -n $aroName --query consoleProfile.url -o tsv 2> /dev/null)"
export webConsole
echo -n "webConsole, "
clientSecret="$(uuidgen | tr -d '\n\r')"
export clientSecret
echo -n "clientSecret, "
consoleUrl=$(az aro show -g $aroRG -n $aroName -o json 2>/dev/null |jq -r '.consoleProfile.url')
export consoleUrl
echo -n "consoleUrl, "
if [ -n "$(echo $consoleUrl | grep aroapp.io)" ]; then
oauthCallbackURL="https://oauth-openshift.apps.$domain.$location.aroapp.io/oauth2callback/AAD"
export oauthCallbackURL
else
oauthCallbackURL="https://oauth-openshift.apps.$dns/oauth2callback/AAD"
export oauthCallbackURL
fi
echo -n "oauthCallbackURL..."
echo "done."
########## Create Manifest
echo -n "Creating manifest for Azure application..."
cat > manifest.json<< EOF
[{
"name": "upn",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "name",
"source": null,
"essential": false,
"additionalProperties": []
}]
EOF
echo "done."
########## Generate and configure SP
echo -n "Configuring Azure Application & Service Principal..."
appId=$(az ad app create --query appId -o tsv --display-name aro-$domain-aad-connector --reply-urls $oauthCallbackURL --password $clientSecret 2> /dev/null)
tenantId=$(az account show --query tenantId -o tsv 2> /dev/null)
az ad app update --set optionalClaims.idToken=@manifest.json --id $appId
az ad app permission add --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope --id $appId 2> /dev/null
echo "done."
########## Obtain PW and login to ARO CLI
echo -n "Obtaining ARO login credentials for kubeadmin user..."
kubePW=$(az aro list-credentials -n $aroName -g $aroRG -o tsv 2> /dev/null | awk '{print $1}')
oc login -u kubeadmin -p $kubePW --server $apiServer --insecure-skip-tls-verify=true
echo "done."
########## Create ARO openID authentication secrets file
echo " "
echo "Creating ARO openID authentication secrets file..."
oc create secret generic openid-client-secret-azuread -n openshift-config --from-literal=clientSecret=$clientSecret
echo "done."
########## Create openID authentication provider YAML configuration
echo -n "Extracting current OpenShift authentication provider configuration and merging AAD provider code..."
oc get oauth cluster -o yaml > oidc.yaml
sed -i '$d' oidc.yaml
cat <<EOF >> oidc.yaml
spec:
identityProviders:
- name: AAD
mappingMethod: claim
type: OpenID
openID:
clientID: $appId
clientSecret:
name: openid-client-secret-azuread
extraScopes:
- email
- profile
extraAuthorizeParameters:
include_granted_scopes: "true"
claims:
preferredUsername:
- email
- upn
name:
- name
email:
- email
issuer: https://login.microsoftonline.com/$tenantId
EOF
echo "done."
########## Apply configuration and force replication
echo " "
echo "Applying revised authentication provider configuration to OpenShift and forcing replication update..."
oc replace -f oidc.yaml
oc create secret generic openid-client-secret-azuread --from-literal=clientSecret=$clientSecret --dry-run=client -o yaml | oc replace -n openshift-config -f -
echo "done."
########## Clean Up
echo -n "Cleaning up..."
rm -f manifest.json
rm -f oidc.yaml
echo "done."
exit 0