sjenning · February 11, 2020 19:39
diff --git a/create-oidc-provider.sh b/create-oidc-provider.sh
 #!/bin/bash

 set -xe

 export S3_BUCKET=sjenning-oidc-provider
 export AWS_REGION=us-west-1

 # Extract the serviceaccount keypair from cluster
 PRIV_KEY="sa-signer.key"
 PKCS_KEY="sa-signer-pkcs8.pub"
 oc get -n openshift-kube-controller-manager secret -ojson service-account-private-key | jq -r '.data["service-account.key"]' | base64 -d > $PRIV_KEY
 oc get -n openshift-kube-controller-manager secret -ojson service-account-private-key | jq -r '.data["service-account.pub"]' | base64 -d > $PKCS_KEY

 _bucket_name=$(aws s3api list-buckets  --query "Buckets[?Name=='$S3_BUCKET'].Name | [0]" --out text)
 if [ $_bucket_name == "None" ]; then
    aws s3api create-bucket --bucket $S3_BUCKET --create-bucket-configuration LocationConstraint=$AWS_REGION
 fi
 echo "export S3_BUCKET=$S3_BUCKET"
 export HOSTNAME=s3-$AWS_REGION.amazonaws.com
 export ISSUER_HOSTPATH=$HOSTNAME/$S3_BUCKET

 cat <<EOF > discovery.json
 {
    "issuer": "https://$ISSUER_HOSTPATH/",
    "jwks_uri": "https://$ISSUER_HOSTPATH/keys.json",
    "authorization_endpoint": "urn:kubernetes:programmatic_authorization",
    "response_types_supported": [
        "id_token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "claims_supported": [
        "sub",
        "iss"
    ]
 }
 EOF

 ./self-hosted -key $PKCS_KEY  | jq '.keys += [.keys[0]] | .keys[1].kid = ""' > keys.json

 aws s3 cp --acl public-read ./discovery.json s3://$S3_BUCKET/.well-known/openid-configuration
 aws s3 cp --acl public-read ./keys.json s3://$S3_BUCKET/keys.json

 curl https://$ISSUER_HOSTPATH/.well-known/openid-configuration
 curl https://$ISSUER_HOSTPATH/keys.json
	#!/bin/bash

	set -xe

	export S3_BUCKET=sjenning-oidc-provider
	export AWS_REGION=us-west-1

	# Extract the serviceaccount keypair from cluster
	PRIV_KEY="sa-signer.key"
	PKCS_KEY="sa-signer-pkcs8.pub"
	oc get -n openshift-kube-controller-manager secret -ojson service-account-private-key \| jq -r '.data["service-account.key"]' \| base64 -d > $PRIV_KEY
	oc get -n openshift-kube-controller-manager secret -ojson service-account-private-key \| jq -r '.data["service-account.pub"]' \| base64 -d > $PKCS_KEY

	_bucket_name=$(aws s3api list-buckets --query "Buckets[?Name=='$S3_BUCKET'].Name \| [0]" --out text)
	if [ $_bucket_name == "None" ]; then
	aws s3api create-bucket --bucket $S3_BUCKET --create-bucket-configuration LocationConstraint=$AWS_REGION
	fi
	echo "export S3_BUCKET=$S3_BUCKET"
	export HOSTNAME=s3-$AWS_REGION.amazonaws.com
	export ISSUER_HOSTPATH=$HOSTNAME/$S3_BUCKET

	cat <<EOF > discovery.json
	{
	"issuer": "https://$ISSUER_HOSTPATH/",
	"jwks_uri": "https://$ISSUER_HOSTPATH/keys.json",
	"authorization_endpoint": "urn:kubernetes:programmatic_authorization",
	"response_types_supported": [
	"id_token"
	],
	"subject_types_supported": [
	"public"
	],
	"id_token_signing_alg_values_supported": [
	"RS256"
	],
	"claims_supported": [
	"sub",
	"iss"
	]
	}
	EOF

	./self-hosted -key $PKCS_KEY \| jq '.keys += [.keys[0]] \| .keys[1].kid = ""' > keys.json

	aws s3 cp --acl public-read ./discovery.json s3://$S3_BUCKET/.well-known/openid-configuration
	aws s3 cp --acl public-read ./keys.json s3://$S3_BUCKET/keys.json

	curl https://$ISSUER_HOSTPATH/.well-known/openid-configuration
	curl https://$ISSUER_HOSTPATH/keys.json