From 86dbf9c3b0daa54af6f4ed12d8c76042016ab6ce Mon Sep 17 00:00:00 2001 From: Jordan Bostrom Date: Mon, 29 Jan 2024 13:10:51 -0500 Subject: [PATCH] IOPZ-1912: Add profiles for new K8s cluster --- create-k8s-chained-sessions.sh | 37 ++++++++++++++++------------------ 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/create-k8s-chained-sessions.sh b/create-k8s-chained-sessions.sh index 5bd401b..15e76e4 100755 --- a/create-k8s-chained-sessions.sh +++ b/create-k8s-chained-sessions.sh @@ -13,20 +13,17 @@ declare REGION='us-east-1' # # function to create a chained leapp session given a parent session id # Args: -# 1: parent session id name from leapp +# 1: name of environment ("playground", "staging", etc.) # 2: sso role name to use for the parent session -# 3: scope of the IAM role ("panorama" or "eks"). used only for legacy reasons -# and can be removed when the keyword is removed from the associated IAM -# roles. +# 3: scope of the IAM role ("panorama" or "eks"). # 4: name of the persona (e.g. admin, dev-writer, etc.) the new session is for -# 5: version of kubernetes, used to determine the associated IAM role function createLeappSession { green_echo "creating chained session for $1 with persona $4" - parent_session_name=$1 + environment_name=$1 + parent_session_name="panorama-k8s-${environment_name}" parent_role_name=$2 iam_role_scope=$3 persona_name=$4 - k8s_version=$5 # check if the parent session exists for the role. We do this because # not all users have access to all roles. We want to only create sessions # for roles that people have access to. @@ -36,10 +33,10 @@ function createLeappSession { return fi - chained_session_name="${parent_session_name}-${persona_name}" + chained_session_name="k8s-${environment_name}-${persona_name}" green_echo " looking for existing session ${chained_session_name}" - iam_role_name="${iam_role_scope}-${persona_name}-${k8s_version}" + iam_role_name="${iam_role_scope}-${persona_name}" chained_session_id=$(leappSessionId "$chained_session_name" "$iam_role_name") if [[ -z "${chained_session_id}" ]]; then @@ -52,7 +49,7 @@ function createLeappSession { leapp session stop --sessionId "$parent_session_id" > /dev/null 2> >(logStdErr) green_echo " creating new profile" - profile_id=$(createLeappProfile "${parent_session_name}-${persona_name}") + profile_id=$(createLeappProfile "${chained_session_name}") green_echo " creating new session" leapp session add --providerType aws --sessionType awsIamRoleChained \ @@ -77,10 +74,10 @@ function leappSessionId { # function to create a leapp profile to associate with the chained k8s sessions # stores the new profile id in PROFILE_ID function createLeappProfile { - # The ^ and $ in the session filter are regex anchors to ensure we don't - # match e.g. both `kubectl-access-role-panorama-k8s-playground` and - # `kubectl-access-role-panorama-k8s-playground-2`. - profile_name="kubectl-access-role-${1}" + # The ^ and $ in the session filter are regex anchors to ensure we are + # finding an exact match. Otherwise, we risk accidentially matching multiple + # Leapp profiles and using the wrong one. + profile_name="${1}-access" profile_id=$(leapp profile list -x --output json --filter="Profile Name=^${profile_name}$" | jq -r '.[].id') if [[ -n "${profile_id}" ]]; then echo "${profile_id}" @@ -93,12 +90,12 @@ function createLeappProfile { ###### END FUNCTIONS ###### # session names from Leapp for each k8s account -PARENT_SESSION_NAMES="panorama-k8s-playground panorama-k8s-playground-2 panorama-k8s-staging panorama-k8s-production" +ENV_NAMES="playground playground-2 staging production" -for session in $PARENT_SESSION_NAMES +for env in $ENV_NAMES do - createLeappSession "$session" "AWSAdministratorAccess" "eks" "admin" "1.24" - createLeappSession "$session" "PanoramaK8sEngineeringDefault" "panorama" "dev-writer" "1.24" - createLeappSession "$session" "PanoramaK8sEngineeringDefault" "panorama" "dev-reader" "1.24" - createLeappSession "$session" "PanoramaK8sDSAR" "panorama" "data-science-tester" "1.24" + createLeappSession "$env" "AWSAdministratorAccess" "eks" "admin" + createLeappSession "$env" "PanoramaK8sEngineeringDefault" "panorama" "dev-writer" + createLeappSession "$env" "PanoramaK8sEngineeringDefault" "panorama" "dev-reader" + createLeappSession "$env" "PanoramaK8sDSAR" "panorama" "data-science-tester" done