Secrets - Grafana scripts (#1468)

* updates to app reg info * Grafana script updates
equinor · Oct 4, 2024 · 1510748 · 1510748
1 parent 17bdf67
commit 1510748
Show file tree

Hide file tree

Showing 10 changed files with 64 additions and 310 deletions.
diff --git a/scripts/add_reply_url_for_cluster.sh b/scripts/add_reply_url_for_cluster.sh
@@ -7,8 +7,6 @@
 # Example 1:
 # AAD_APP_NAME="Omnia Radix Web Console" K8S_NAMESPACE="radix-web-console-prod" K8S_INGRESS_NAME="web" REPLY_PATH="/auth-callback" WEB_REDIRECT_URI="/applications" ./add_reply_url_for_cluster.sh
 #
-# Example 2: Using a subshell to avoid polluting parent shell
-# (AAD_APP_NAME="ar-radix-grafana-development" K8S_NAMESPACE="default" K8S_INGRESS_NAME="grafana" REPLY_PATH="/login/generic_oauth" ./add_reply_url_for_cluster.sh)
 
 # INPUTS:
 #   AAD_APP_NAME            (Mandatory)

diff --git a/scripts/radix-zone/monitoring-infrastructure/bootstrap.sh b/scripts/radix-zone/monitoring-infrastructure/bootstrap.sh
diff --git a/scripts/radix-zone/monitoring-infrastructure/create-sp.sh b/scripts/radix-zone/monitoring-infrastructure/create-sp.sh
@@ -1,30 +1,12 @@
 #!/usr/bin/env bash
 
-#######################################################################################
-### PURPOSE
-### 
-
-# Bootstrap radix zone infrastructure for monitoring, resource gorups, keyvault etc
-
-
-#######################################################################################
-### INPUTS
-### 
-
-# Required:
-# - RADIX_ZONE_ENV      : Path to *.env file
-
-# Optional:
-# - USER_PROMPT         : Is human interaction is required to run script? true/false. Default is true.
-
-
 #######################################################################################
 ### HOW TO USE
 ### 
 
 # sh ./create-sp.sh 'env'
 
-echo "Start bootstrap of Monitoring infrastructure.. "
+echo "Create Grafana Service Principal "
 
 RADIX_ZONE_ENV="../radix_zone_$1.env"
 #######################################################################################
@@ -41,6 +23,18 @@ printf "Done.\n"
 ### Read inputs and configs
 ###
 
+
+if [[ $1 == "ext-mon" ]]; then
+    APP_REGISTRATION="radix-ar-grafana-ext-mon"
+    KEYVAULT="radix-keyv-extmon"
+else
+    APP_REGISTRATION="radix-ar-grafana-$1"
+    KEYVAULT="radix-keyv-$1"
+fi
+
+SECRETNAME="radix-ar-grafana-oauth"
+
+
 if [[ -z "$RADIX_ZONE_ENV" ]]; then
     echo "ERROR: Please provide RADIX_ZONE_ENV" >&2
     exit 1
@@ -63,19 +57,14 @@ fi
 
 printf "Logging you in to Azure if not already logged in... "
 az account show >/dev/null || az login >/dev/null
-az account set --subscription "$AZ_SUBSCRIPTION_ID" >/dev/null
 printf "Done.\n"
 
 
-
-
 cat << EOF
 Will use the following configuration:
     ------------------------------------------------------------------
     -  RADIX_ZONE                       : $RADIX_ZONE
-    -  AZ_RADIX_ZONE_LOCATION           : $AZ_RADIX_ZONE_LOCATION
-    -  RADIX_ENVIRONMENT                : $RADIX_ENVIRONMENT
-    -  APP_REGISTRATION_GRAFANA         : $APP_REGISTRATION_GRAFANA
+    -  APP_REGISTRATION_GRAFANA         : $APP_REGISTRATION
 
     -------------------------------------------------------------------
     -  AZ_SUBSCRIPTION                  : $(az account show --query name -otsv)
@@ -101,68 +90,43 @@ else
     source "$LIB_SERVICE_PRINCIPAL_PATH"
 fi
 
-function create_monitoring_service_principal() {
-
-    local name          # Input 1
-    local description   # Input 2, optional
-    local password
-    local id
-
-    name="$1"
-    description="$2"
-
-    echo "Working on ${name}: Creating service principal..."
-
-    # Skip creation if the sp exist
-    local testSP
-    testSP="$(az ad sp list --display-name "${name}" --query [].id --output tsv 2>/dev/null)"
-    if [ -z "$testSP" ]; then
-        echo "creating ${name}..."
-        password="$(az ad sp create-for-rbac --name "${name}" --query password --output tsv)"
-        id="$(az ad sp list --display-name "${name}" --query [].id --output tsv)"
-        secret="$(az ad sp credential list --id "${id}" --query "sort_by([?displayName=='rbac'], &endDateTime)[-1:].{endDateTime:endDateTime,keyId:keyId}")"
-        secret_id="$(echo "${secret}" | jq -r .[].keyId)"
-        expiration_date="$(echo "${secret}" | jq -r .[].endDateTime | sed 's/\..*//')"
-        echo " Done.\n"
-
-        echo "Update credentials in keyvault..."
-        update_app_credentials_in_az_keyvault "${name}" "${id}" "${password}" "${description}" "${secret_id}" "${expiration_date}" "${AZ_RESOURCE_MON_KEYVAULT}"
-    else
-        echo "${name} exists.\n"
-    fi
 
-    echo "Update owners of app registration...."
-    update_ad_app_owners "${name}"
+name=$APP_REGISTRATION
+description="Grafana Oauth, main app for user authentication to Grafana"
 
-    echo "Update owners of service principal..."
-    update_service_principal_owners "${name}"
+# Skip creation if the sp exist
 
-    echo "Update additional SP info..."
+testSP="$(az ad sp list --display-name "${name}" --query [].id --output tsv 2>/dev/null)"
+if [ -z "$testSP" ]; then
+    echo "$testSP, ${name} does not exist"
+
+    password="$(az ad sp create-for-rbac --name "${name}" --query password --output tsv)"
     id="$(az ad sp list --display-name "${name}" --query [].id --output tsv)"
-    echo "This id ${id} and description: ${description}"
-    az ad sp update --id "${id}" --set notes="${description}"
+    password="$(az ad sp credential reset --id "${id}" --display-name "${SECRETNAME}" --append --query password --output tsv --only-show-errors)"
+    secret="$(az ad sp credential list --id "${id}" --query "sort_by([?displayName=='${SECRETNAME}'], &endDateTime)[-1:].{endDateTime:endDateTime,keyId:keyId}")"
+    expiration_date="$(echo "${secret}" | jq -r .[].endDateTime | sed 's/\..*//')"
+
+    echo "Update credentials in keyvault for appId $id, $secret with exp. date $expiration_date"
+    az keyvault secret set --vault-name $KEYVAULT --name $SECRETNAME --value "${password}" --expires ${expiration_date} 2>&1 >/dev/null
+else
+    id=$testSP
+    echo "${name} exists.\n"
+fi
 
-    echo "Done."
-}
+echo "Update additional info, $name - $description"
+id="$(az ad sp list --display-name "${name}" --query [].id --output tsv)"
+
+echo "Update description"
+az ad sp update --id "${id}" --set notes="${description}"
+
+echo "Update owners of app registration...."
+update_ad_app_owners "${name}"
+
+echo "Update owners of service principal..."
+update_service_principal_owners "${name}"
+
+
+echo "Done."
 
-function create_monitoring_ar_secret(){    
-    local name          # Input 1
-    local secretname    # Input 2
-    local description   # Input 3, optional
 
 
-    name="$1"
-    secretname="$2"
-    description="$3"
-
-    echo "Create secret for ${name}"
-    id="$(az ad app list --filter "displayname eq '${name}'" --query [].id --output tsv)"
-
-    password="$(az ad app credential reset --id "${id}" --display-name "${secretname}" --append --query password --output tsv --only-show-errors)"
-    secret="$(az ad app credential list --id "${id}" --query "sort_by([?displayName=='${secretname}'], &endDateTime)[-1].{endDateTime:endDateTime,keyId:keyId}")"
-    secret_id="$(az ad app credential list --id "${id}" --query "sort_by([?displayName=='${secretname}'], &endDateTime)[-1].keyId")"
-    expiration_date="$(az ad app credential list --id "${id}" --query "sort_by([?displayName=='${secretname}'], &endDateTime)[-1].endDateTime" --output tsv)"
-
-    echo "Update credentials in keyvault..."
-    update_app_credentials_in_az_keyvault "${secretname}" "${id}" "${password}" "${description}" "${secret_id}" ${expiration_date} "${AZ_RESOURCE_MON_KEYVAULT}"
-}