-
Notifications
You must be signed in to change notification settings - Fork 67
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add the script to download certs and apply azure policy operation on …
…an AKS Signed-off-by: Shahram Kalantari <[email protected]>
- Loading branch information
1 parent
d0eb4ff
commit 2e69f8e
Showing
1 changed file
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| #!/bin/bash | ||
|
|
||
| echo "Starting Ratify on Azure\n" | ||
| echo "RESOURCE_GROUP: $RESOURCE_GROUP\n" | ||
| echo "CLUSTER_NAME: $CLUSTER_NAME\n" | ||
| echo "ENABLE_MUTATION: $ENABLE_MUTATION\n" | ||
| echo "ENABLE_CERT_ROTATION: $ENABLE_CERT_ROTATION\n" | ||
|
Check warning Code scanning / Scorecard Pinned-Dependencies Medium
score is 9: downloadThenRun not pinned by hash
Click Remediation section below to solve this issue |
||
| # SUB_ID=$(az account show --query id --output tsv) | ||
| # echo "SUB_ID: $SUB_ID\n" | ||
| # az account set --subscription $SUB_ID | ||
| # az account show --query "id" | ||
| # az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME -o json | ||
| # echo "enable managed identity ... \n" | ||
| # az aks update --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --enable-managed-identity | ||
| # echo "running az deployment-scripts list\n" | ||
| # az deployment-scripts list --query "[].{Name:name, Identity:identity}" | ||
| # # Get AKS credentials | ||
| # echo "show identity info\n" | ||
| # for i in {1..10}; do | ||
| # IDENTITY=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity" -o json) | ||
| # echo "IDENTITY: $IDENTITY ........" | ||
| # if [ "$IDENTITY" != "" ]; then | ||
| # echo "Identity retrieved: $IDENTITY" | ||
| # break | ||
| # fi | ||
| # echo "Identity not yet available, retrying in 10 seconds..." | ||
| # sleep 10 | ||
| # done | ||
| # az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity" -o json | ||
| # echo "show identityProfile info\n" | ||
| # az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identityProfile" -o json | ||
| # echo "show account info\n" | ||
| # az account show --query "{name:name, user:user}" -o json | ||
| # principalId=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity.principalId" -o tsv) | ||
| # echo "principalId: $principalId" | ||
| # echo "role assignment ...\n" | ||
| # az role assignment list --assignee $principalId --output table | ||
| # az role assignment create --assignee $principalId --role "Azure Kubernetes Service Cluster User" --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.ContainerService/managedClusters/$CLUSTER_NAME | ||
|
|
||
| # clientId=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "identity.clientID" -o tsv) | ||
| # echo "clientId: $clientId\n" | ||
| # az deployment-scripts list --query "[].{Name:name, Identity:identity}" | ||
| # az login --identity | ||
|
|
||
| az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --overwrite-existing | ||
|
|
||
|
|
||
| # install helm | ||
| curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash | ||
|
|
||
| # Install Ratify using Helm | ||
| helm repo add ratify https://deislabs.github.io/ratify | ||
| helm repo update --namespace gatekeeper-system --create-namespace --set authProvider.azureWorkloadIdentity.clientID=$RATIFY_CLIENT_ID --set provider.enableMutation=$ENABLE_MUTATION --set featureFlags.RATIFY_CERT_ROTATION=$ENABLE_CERT_ROTATION | ||
|
|
||