Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug fix: change keycloak client logic to support multiple uris #186

Merged
merged 2 commits into from
May 22, 2023
Merged

bug fix: change keycloak client logic to support multiple uris #186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
60e0818
bug fix: change keycloak client logic to support multiple uris in a c…
cho4036 May 19, 2023
a8eb063
feature: grafana. sync argocd and pod restart
cho4036 May 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
94 changes: 90 additions & 4 deletions deploy_apps/tks-lma-federation-wftpl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,20 @@ spec:
- name: decapod_site_repo
value: "{{workflow.parameters.github_account}}/{{workflow.parameters.cluster_id}}"

- - name: argocd-sync-wait
template: argocd-sync-wait
arguments:
parameters:
- name: cluster_id
value: '{{workflow.parameters.cluster_id}}'

- - name: grafana-restart
template: grafana-restart
arguments:
parameters:
- name: cluster_id
value: '{{workflow.parameters.cluster_id}}'

#######################
# Template Definition #
#######################
Expand Down Expand Up @@ -515,7 +529,7 @@ spec:
# Login to keycloak
admin_username=$(kubectl get secret -n keycloak credential-tks-keycloak -o jsonpath="{.data.ADMIN_USERNAME}" | base64 -d)
admin_password=$(kubectl get secret -n keycloak credential-tks-keycloak -o jsonpath="{.data.ADMIN_PASSWORD}" | base64 -d)
TOKEN=$(curl -k -X POST ${keycloak_url}/auth/realms/master/protocol/openid-connect/token -d grant_type=password -d username=${admin_username} -d password=${admin_password} -d client_id=admin-cli | jq -r '.access_token')
TOKEN=$(curl -s -k -X POST ${keycloak_url}/auth/realms/master/protocol/openid-connect/token -d grant_type=password -d username=${admin_username} -d password=${admin_password} -d client_id=admin-cli | jq -r '.access_token')

# Create client json file
printf '{
Expand All @@ -531,14 +545,22 @@ spec:
curl -s -k POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d @client.json ${keycloak_url}/auth/admin/realms/${organization_id}/clients
sleep 5
client_uuid=$(curl -s -k GET -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" ${keycloak_url}/auth/admin/realms/${organization_id}/clients\?\clientId\=grafana | jq -r ' .[] | {id} | .id')
secret=$(curl -s -k GET -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"type":"secret"}' ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}/client-secret | jq -r '.value')
else
# Reuse client
echo "client already exist"
JSON_DATA=$(curl -s -k GET -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" ${keycloak_url}/auth/admin/realms/${organization_id}/clients\?\clientId\=grafana)

# Convert the array to a JSON array
MODIFIED_JSON=$(echo "$JSON_DATA" | jq --arg endpoint "$endpoint" 'map(.redirectUris += [$endpoint] | {redirectUris: .redirectUris})')
MODIFIED_JSON=$(echo $MODIFIED_JSON | jq '.[0]')
# Write the JSON array to a new file
echo "$MODIFIED_JSON" > modified_data.json
curl -s -k -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d @modified_data.json ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}

secret=$(curl -s -k GET -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}/client-secret | jq -r '.value')
fi

# Get client secret
secret=$(curl -s -k GET -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"type":"secret"}' ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}/client-secret | jq -r '.value')

echo ${secret} > /mnt/out/keycloak_client_secret.txt
echo ${endpoint} > /mnt/out/grafana_endpoint.txt

Expand Down Expand Up @@ -609,3 +631,67 @@ spec:
name: "git-svc-token"
- secretRef:
name: "tks-api-secret"

- name: argocd-sync-wait
inputs:
parameters:
- name: cluster_id
container:
name: argocd-sync-wait
image: harbor-cicd.taco-cat.xyz/tks/argocd-cli:v2.2.5
command:
- /bin/bash
- '-c'
- |
# log into Argo CD server
./argocd login $ARGO_SERVER --plaintext --insecure --username $ARGO_USERNAME \
--password $ARGO_PASSWORD

app_name={{inputs.parameters.cluster_id}}-grafana

# sync app
echo "sync app $app_name"
./argocd app sync $app_name

# wait for sync
./argocd app wait $app_name --sync

envFrom:
- secretRef:
name: "decapod-argocd-config"
activeDeadlineSeconds: 900

- name: grafana-restart
inputs:
parameters:
- name: cluster_id
container:
name: grafana-restart
image: 'harbor-cicd.taco-cat.xyz/tks/shyaml_jq_yq_kubectl_python:3.11'
command:
- /bin/bash
- '-c'
- |
function log() {
level=$1
msg=$2
date=$(date '+%F %H:%M:%S')
echo "[$date] $level $msg"
}

cluster_id={{inputs.parameters.cluster_id}}

kube_secret=$(kubectl get secret -n ${cluster_id} ${cluster_id}-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
cat <<< "$kube_secret" > kubeconfig
pods=$(kubectl --kubeconfig kubeconfig get pods -n lma | grep grafana | awk '{print $1}')

for pod in $pods
do
echo "Deleting pod $pod"
kubectl --kubeconfig kubeconfig delete pod $pod -n lma
done

envFrom:
- secretRef:
name: tks-api-secret
activeDeadlineSeconds: 900
69 changes: 51 additions & 18 deletions deploy_apps/tks-remove-lma-federation-wftpl.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,17 @@ spec:
templates:
- name: removeLMA
steps:
- - name: remove-keycloak-client
template: remove-keycloak-client
arguments:
parameters:
- name: organization_id
value: '{{workflow.parameters.organization_id}}'
- name: cluster_id
value: '{{workflow.parameters.cluster_id}}'
- name: keycloak_url
value: '{{workflow.parameters.keycloak_url}}'

- - name: removeAppGroup
templateRef:
name: remove-lma-federation
Expand Down Expand Up @@ -74,14 +85,6 @@ spec:
value: ""
when: "{{steps.get-clusters-in-contract.outputs.parameters.primary_cluster}} == {{workflow.parameters.cluster_id}}"

- - name: remove-keycloak-client
template: remove-keycloak-client
arguments:
parameters:
- name: organization_id
value: '{{workflow.parameters.organization_id}}'
- name: keycloak_url
value: '{{workflow.parameters.keycloak_url}}'

#######################
# Template Definition #
Expand Down Expand Up @@ -267,6 +270,7 @@ spec:
inputs:
parameters:
- name: organization_id
- name: cluster_id
- name: keycloak_url
volumes:
- name: out
Expand All @@ -278,15 +282,33 @@ spec:
- /bin/bash
- '-c'
- |
function log() {
level=$1
msg=$2
date=$(date '+%F %H:%M:%S')
echo "[$date] $level $msg"
}

organization_id={{inputs.parameters.organization_id}}
cluster_id={{inputs.parameters.cluster_id}}
keycloak_url={{inputs.parameters.keycloak_url}}

#################
# Get endpoints
#################

endpoint=\"grafa\"
kube_secret=$(kubectl get secret -n ${cluster_id} ${cluster_id}-kubeconfig -o jsonpath="{.data.value}" | base64 -d)
cat <<< "$kube_secret" > kubeconfig
if [ `kubectl --kubeconfig=kubeconfig get svc -n lma grafana --ignore-not-found=true | grep -v NAME | wc -l ` -eq 1 ]; then
while [ -z $(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.status.loadBalancer.ingress[*].hostname}") ]
do
if [ "$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.spec.type}")" -neq "LoadBalancer" ]; then
log "FAIL" "A service for the grafana in ${cluster_id} is not configured properly.(No LoadBalancer)"
exit -1
fi

echo "Waiting for generating the loadbalancer of grafana(3s)"
sleep 3
done

endpoint=$(kubectl --kubeconfig=kubeconfig get svc -n lma grafana -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")
else
log "WARN" "Cluster(${cluster_id}) has no grafana"
fi

# Login to keycloak
admin_username=$(kubectl get secret -n keycloak credential-tks-keycloak -o jsonpath="{.data.ADMIN_USERNAME}" | base64 -d)
Expand All @@ -298,10 +320,21 @@ spec:
if [ -z "$client_uuid" ]; then
echo "client already not exist"
else
# Remove client
curl -s -k -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}
JSON_DATA=$(curl -s -k GET -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" ${keycloak_url}/auth/admin/realms/${organization_id}/clients\?\clientId\=grafana)
# Convert the array to a JSON array
num_redirect_uris=$(echo $JSON_DATA | jq '.[0].redirectUris | length')
if [ $num_redirect_uris -gt 1 ]
then
# Remove endpoint from client redirectUris
MODIFIED_JSON=$(echo $JSON_DATA | jq --arg value "$endpoint" '.[0] | { "redirectUris": (.redirectUris | map(select(. != $value))) }' )
# Write the JSON array to a new file
echo "$MODIFIED_JSON" > modified_data.json
curl -s -k -X PUT -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d @modified_data.json ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}
else
# Remove client
curl -s -k -X DELETE -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" ${keycloak_url}/auth/admin/realms/${organization_id}/clients/${client_uuid}
fi
fi

envFrom:
- secretRef:
name: tks-api-secret