diff --git a/install/config-map.yaml b/install/config-map.yaml index 5d3faf9..7d518c8 100644 --- a/install/config-map.yaml +++ b/install/config-map.yaml @@ -5,8 +5,8 @@ metadata: data: grafana-uaa.ini: | [server] - domain = TEMPLATE_ESP_DOMAIN - root_url = https://TEMPLATE_ESP_DOMAIN/grafana/ + domain = TEMPLATE_GRAFANA_DOMAIN + root_url = https://TEMPLATE_GRAFANA_DOMAIN/grafana/ serve_from_sub_path = true [plugins] @@ -16,6 +16,7 @@ data: accessTokenExpirationCheck = true [security] + disable_initial_admin_creation = true cookie_secure = true cookie_samesite = lax @@ -25,12 +26,12 @@ data: [auth] disable_login_form = true - signout_redirect_url = https://TEMPLATE_ESP_DOMAIN/oauth2/sign_out?rd=https://TEMPLATE_ESP_DOMAIN/uaa/logout.do?redirect=https://TEMPLATE_ESP_DOMAIN/uaa/login + signout_redirect_url = TEMPLATE_SIGNOUT_REDIRECT_URL [auth.generic_oauth] tls_skip_verify_insecure = true enabled = true - name = UAA + name = OAuth use_pkce = true auto_login = true client_id = TEMPLATE_OAUTH_CLIENT_ID @@ -39,6 +40,9 @@ data: email_attribute_path = email name_attribute_path = user_name login_attribute_path = user_name - auth_url = https://TEMPLATE_ESP_DOMAIN/uaa/oauth/authorize - token_url = https://TEMPLATE_ESP_DOMAIN/uaa/oauth/token?token_format=jwt - api_url = https://TEMPLATE_ESP_DOMAIN/uaa/userinfo + auth_url = TEMPLATE_AUTH_URL + token_url = TEMPLATE_TOKEN_URL + api_url = TEMPLATE_API_URL + allow_assign_grafana_admin = true + role_attribute_path = contains(grafana_roles[*], 'grafana-admin') && 'GrafanaAdmin' || contains(grafana_roles[*], 'admin') && 'Admin' || contains(grafana_roles[*], 'editor') && 'Editor' || 'Viewer' + diff --git a/install/configure-grafana.sh b/install/configure-grafana.sh index 1e15247..1609200 100644 --- a/install/configure-grafana.sh +++ b/install/configure-grafana.sh @@ -2,118 +2,134 @@ set -e -o pipefail -o nounset -OAUTH_CLIENT_ID="${OAUTH_CLIENT_ID:-sv_client}" -export OAUTH_CLIENT_ID - -OAUTH_CLIENT_SECRET="${OAUTH_CLIENT_SECRET:-secret}" -export OAUTH_CLIENT_SECRET - -ESP_NAMESPACE="${1}" - +#input variables +ESP_NAMESPACE="${1}"; export ESP_NAMESPACE ESP_PLUGIN_SOURCE="${2}" -export ESP_PLUGIN_SOURCE +OAUTH_TYPE="${3:-uaa}" + +#optional environment variables - exported for use in other scripts +OAUTH_CLIENT_ID="${OAUTH_CLIENT_ID:-sv_client}"; export OAUTH_CLIENT_ID +OAUTH_CLIENT_SECRET="${OAUTH_CLIENT_SECRET:-secret}"; export OAUTH_CLIENT_SECRET +KEYCLOAK_SUBPATH="${KEYCLOAK_SUBPATH:-auth}"; export KEYCLOAK_SUBPATH +#optional environment variables DRY_RUN="${DRY_RUN:-false}" INSTALL_GRAFANA="${INSTALL_GRAFANA:-false}" -GRAFANA_VERSION="${GRAFANA_VERSION:-'9.5.13'}" +GRAFANA_VERSION="${GRAFANA_VERSION:-9.5.13}" +GRAFANA_NAMESPACE="${GRAFANA_NAMESPACE:-${ESP_NAMESPACE}}" + +function check_requirements() { + [ -z "$KUBECONFIG" ] && { + echo "KUBECONFIG environment variable unset." >&2 + exit 1 + } + + [ -z "${ESP_NAMESPACE}" ] && { + echo "Usage: ${0} " >&2 + exit 1 + } + + [ -z "${ESP_PLUGIN_SOURCE}" ] && { + echo "Usage: ${0} " >&2 + exit 1 + } + + if ! kubectl get namespace "${ESP_NAMESPACE}" 2>/dev/null 1>&2; then + echo >&2 "ERROR: Namespace ${ESP_NAMESPACE} not found." + exit 1 + fi +} -# Fetch access token to perform admin tasks: -function fetch_uaa_admin_token() { - _resp=$(curl "https://${ESP_DOMAIN}/uaa/oauth/token" -s -k -X POST \ - -H 'Content-Type: application/x-www-form-urlencoded' \ - -H 'Accept: application/json' \ - -d "client_id=${UAA_ADMIN}&client_secret=${UAA_SECRET}&grant_type=client_credentials&response_type=token") +function generate_manifests() { + if [ -d "./manifests" ]; then + echo "Existing manifest directory found." >&2 + echo "Removing manifests..." + rm -r ./manifests/ + fi + + [ -d "./manifests" ] || mkdir "manifests" + cp -r *.yaml manifests/ + + for file in `find ./manifests/ -name "*.y*ml"` ; do + + sed -i 's|TEMPLATE_AUTH_URL|'$TEMPLATE_AUTH_URL'|g' $file + sed -i 's|TEMPLATE_TOKEN_URL|'$TEMPLATE_TOKEN_URL'|g' $file + sed -i 's|TEMPLATE_API_URL|'$TEMPLATE_API_URL'|g' $file + sed -i 's|TEMPLATE_SIGNOUT_REDIRECT_URL|'$TEMPLATE_SIGNOUT_REDIRECT_URL'|g' $file + + sed -i 's|TEMPLATE_GRAFANA_DOMAIN|'$GRAFANA_DOMAIN'|g' $file + sed -i 's|TEMPLATE_ESP_DOMAIN|'$ESP_DOMAIN'|g' $file + sed -i 's|TEMPLATE_OAUTH_CLIENT_ID|'$OAUTH_CLIENT_ID'|g' $file + sed -i 's|TEMPLATE_OAUTH_CLIENT_SECRET|'$OAUTH_CLIENT_SECRET'|g' $file + sed -i 's|TEMPLATE_ESP_PLUGIN_SOURCE|'$ESP_PLUGIN_SOURCE'|g' $file + sed -i 's|TEMPLATE_GRAFANA_VERSION|'$GRAFANA_VERSION'|g' $file + + if [[ "${DRY_RUN}" == true ]]; then + echo $file + cat $file + fi - echo "${_resp}" | jq -r '.access_token' + done } -# Add Grafana generic OAuth to allowed auth redirects: -function add_grafana_auth_redirect() { - _token="$(fetch_uaa_admin_token)" - _redirect="https://${ESP_DOMAIN}/grafana/login/generic_oauth" +check_requirements - _config=$(curl -s -k -X GET "https://${ESP_DOMAIN}/uaa/oauth/clients/${OAUTH_CLIENT_ID}" -H "Authorization: Bearer ${_token}") +echo "Fetching required deployment information..." +ESP_DOMAIN=$(kubectl -n "${ESP_NAMESPACE}" get ingress --output json | jq -r '.items[0].spec.rules[0].host') +export ESP_DOMAIN - _update_body=$(echo "${_config}" | jq -c -r --arg redirect "${_redirect}" \ - '.redirect_uri += [$redirect] | {client_id: .client_id, redirect_uri: .redirect_uri}') +GRAFANA_DOMAIN=$(kubectl -n "${GRAFANA_NAMESPACE}" get ingress --output json | jq -r '.items[0].spec.rules[0].host') - _resp=$(curl "https://${ESP_DOMAIN}/uaa/oauth/clients/${OAUTH_CLIENT_ID}" -s -k -X PUT \ - -o /dev/null -w "%{http_code}" \ - -H 'Content-Type: application/json' \ - -H "Authorization: Bearer ${_token}" \ - -H 'Accept: application/json' \ - -d "${_update_body}") +echo "Adding Grafana to allowed OAuth client redirects..." +if [ "${OAUTH_TYPE}" == "viya" ]; then - if [ "${_resp}" == '200' ]; then - echo " Grafana OAuth redirect added." - else - echo >&2 "ERROR: OAuth client redirect update failed with status code ${_resp}." - exit 1 - fi -} + if [[ "${DRY_RUN}" == false ]]; then + bash register-oauth-client-viya.sh + fi -[ -z "$KUBECONFIG" ] && { - echo "KUBECONFIG environment variable unset." >&2 - exit 1 -} + TEMPLATE_AUTH_URL="https://${ESP_DOMAIN}/SASLogon/oauth/authorize" + TEMPLATE_TOKEN_URL="https://${ESP_DOMAIN}/SASLogon/oauth/token" + TEMPLATE_API_URL="https://${ESP_DOMAIN}/SASLogon/userinfo" + TEMPLATE_SIGNOUT_REDIRECT_URL="https://${ESP_DOMAIN}/SASLogon/logout.do" -[ -z "${ESP_NAMESPACE}" ] && { - echo "Usage: ${0} " >&2 - exit 1 -} +elif [ "${OAUTH_TYPE}" == "keycloak" ]; then -[ -z "${ESP_PLUGIN_SOURCE}" ] && { - echo "Usage: ${0} " >&2 - exit 1 -} + if [[ "${DRY_RUN}" == false ]]; then + bash register-oauth-client-keycloak.sh + fi -if [ -d "./manifests" ]; then - echo "Existing manifest directory found." >&2 - echo "Removing manifests..." - rm -r ./manifests/ -fi + TEMPLATE_AUTH_URL="https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/realms/sas-esp/protocol/openid-connect/auth" + TEMPLATE_TOKEN_URL="https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/realms/sas-esp/protocol/openid-connect/token" + TEMPLATE_API_URL="https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/realms/sas-esp/protocol/openid-connect/userinfo" + TEMPLATE_SIGNOUT_REDIRECT_URL="https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/realms/sas-esp/protocol/openid-connect/logout?client_id=${OAUTH_CLIENT_ID}\&post_logout_redirect_uri=https://${ESP_DOMAIN}/grafana/login" -echo "Fetching required deployment information..." -ESP_DOMAIN=$(kubectl -n "${ESP_NAMESPACE}" get ingress --output json | jq -r '.items[0].spec.rules[0].host') -export ESP_DOMAIN +else -_uaa_secret_data=$(kubectl -n "${ESP_NAMESPACE}" get secret uaa-secret --output json) -UAA_ADMIN=$(echo "${_uaa_secret_data}" | jq -r '.data.username | @base64d') -export UAA_ADMIN -UAA_SECRET=$(echo "${_uaa_secret_data}" | jq -r '.data.password | @base64d') -export UAA_SECRET + if [[ "${DRY_RUN}" == false ]]; then + bash register-oauth-client-uaa.sh + fi + + TEMPLATE_AUTH_URL="https://${ESP_DOMAIN}/uaa/oauth/authorize" + TEMPLATE_TOKEN_URL="https://${ESP_DOMAIN}/uaa/oauth/token?token_format=jwt" + TEMPLATE_API_URL="https://${ESP_DOMAIN}/uaa/userinfo" + TEMPLATE_SIGNOUT_REDIRECT_URL="https://${ESP_DOMAIN}/oauth2/sign_out?rd=https://${ESP_DOMAIN}/uaa/logout.do?redirect=https://${ESP_DOMAIN}/uaa/login" + +fi cat </dev/null 1>&2; then + echo >&2 "ERROR: No Keycloak deployment found under namespace ${ESP_NAMESPACE}." + exit 1 + fi + + _kc_pod=$(kubectl -n "${ESP_NAMESPACE}" get pods -o json | + jq -r '.items[] | select(.metadata.name | test("^keycloak-deployment-")) | .metadata.name') + [ -n "${_kc_pod}" ] || { + echo >&2 "ERROR: No keycloak-deployment-* pod found under namespace ${ESP_NAMESPACE}." + exit 1 + } + + _kc_ready=$(kubectl -n "${ESP_NAMESPACE}" get pod "${_kc_pod}" -o json | + jq -r '.status.conditions[] | select(.type == "Ready") | .status') + [ "${_kc_ready}" == 'True' ] || { + echo >&2 "ERROR: Keycloak deployment exists but is not ready. Try again later." + exit 1 + } +} + +function check_requirements() { + + if ! kubectl -n "${ESP_NAMESPACE}" get secret keycloak-admin-secret 2>/dev/null 1>&2; then + echo >&2 "ERROR: No Keycloak admin secret found under namespace ${ESP_NAMESPACE}." + exit 1 + fi + + if ! kubectl -n "${ESP_NAMESPACE}" get secret oauth2-proxy-client-secret 2>/dev/null 1>&2; then + echo >&2 "ERROR: No OAuth2 Proxy client secret found under namespace ${ESP_NAMESPACE}." + exit 1 + fi + + check_keycloak_deployment +} + +# Fetch access token to perform admin tasks: +function fetch_keycloak_admin_token() { + _resp=$(curl "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/realms/master/protocol/openid-connect/token" -s -k -X POST \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + -H 'Accept: application/json' \ + -d "client_id=admin-cli&grant_type=password&username=${KEYCLOAK_ADMIN}&password=${KEYCLOAK_SECRET}") + + echo "${_resp}" | jq -r '.access_token' +} + +function create_role() { + _role_name="${1}" + _role_repr="{\"name\": \"${_role_name}\", \"clientRole\": true}" + curl "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients/${_client_id}/roles" -s -k -X POST \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${_token}" \ + -d "${_role_repr}" +} + +function add_protocol_mapper() { + _mapper_repr=$(echo -e " + { + \"name\": \"GrafanaRoles\", + \"protocol\": \"openid-connect\", + \"protocolMapper\": \"oidc-usermodel-client-role-mapper\", + \"consentRequired\": false, + \"config\": { + \"claim.name\": \"grafana_roles\", + \"usermodel.clientRoleMapping.clientId\": \"${OAUTH_CLIENT_ID}\", + \"jsonType.label\": \"String\", + \"multivalued\": \"true\", + \"access.token.claim\": \"true\", + \"userinfo.token.claim\": \"false\", + \"id.token.claim\": \"true\" + } + }") + _mapper_body=$(echo "${_mapper_repr}" | jq -r -c) + curl -s -k -X POST \ + "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients/${_client_id}/protocol-mappers/models" \ + -H "Content-Type: application/json" \ + -H "Authorization: Bearer ${_token}" \ + -d "${_mapper_body}" +} + +function prepare_keycloak_roles() { + _token="$(fetch_keycloak_admin_token)" + # Get sas-esp realm clients: + _kc_clients=$(curl -s -k -X GET "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients" -H "Authorization: Bearer ${_token}") + # Get OAuth2 Proxy client ID: + _client_id=$(echo "${_kc_clients}" | jq -r --arg opid "${OAUTH_CLIENT_ID}" '.[] | select(.clientId == $opid) | .id') + # Create Grafana roles: + create_role "grafana-admin" + create_role "admin" + create_role "editor" + # Create Grafana role protocol mapper: + add_protocol_mapper +} + +_keycloak_admin_secret=$(kubectl -n "${ESP_NAMESPACE}" get secret keycloak-admin-secret --output json) +KEYCLOAK_ADMIN=$(echo "${_keycloak_admin_secret}" | jq -r '.data.username | @base64d') +KEYCLOAK_SECRET=$(echo "${_keycloak_admin_secret}" | jq -r '.data.password | @base64d') + +_oauth2_proxy_secret=$(kubectl -n "${ESP_NAMESPACE}" get secret oauth2-proxy-client-secret --output json) +OAUTH_CLIENT_ID=$(echo "${_oauth2_proxy_secret}" | jq -r '.data.OAUTH2_PROXY_CLIENT_ID | @base64d') +export OAUTH_CLIENT_ID +OAUTH_CLIENT_SECRET=$(echo "${_oauth2_proxy_secret}" | jq -r '.data.OAUTH2_PROXY_CLIENT_SECRET | @base64d') +export OAUTH_CLIENT_SECRET + +prepare_keycloak_roles diff --git a/install/register-oauth-client-uaa.sh b/install/register-oauth-client-uaa.sh new file mode 100644 index 0000000..01e645c --- /dev/null +++ b/install/register-oauth-client-uaa.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -e -o pipefail -o nounset + +# Fetch access token to perform admin tasks: +function fetch_uaa_admin_token() { + _resp=$(curl "https://${ESP_DOMAIN}/uaa/oauth/token" -s -k -X POST \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + -H 'Accept: application/json' \ + -d "client_id=${UAA_ADMIN}&client_secret=${UAA_SECRET}&grant_type=client_credentials&response_type=token") + + echo "${_resp}" | jq -r '.access_token' +} + +# Add Grafana generic OAuth to allowed auth redirects: +function add_grafana_auth_redirect_uaa() { + _token="$(fetch_uaa_admin_token)" + _redirect="https://${ESP_DOMAIN}/grafana/login/generic_oauth" + + _config=$(curl -s -k -X GET "https://${ESP_DOMAIN}/uaa/oauth/clients/${OAUTH_CLIENT_ID}" -H "Authorization: Bearer ${_token}") + + _update_body=$(echo "${_config}" | jq -c -r --arg redirect "${_redirect}" \ + '.redirect_uri += [$redirect] | {client_id: .client_id, redirect_uri: .redirect_uri}') + + _resp=$(curl "https://${ESP_DOMAIN}/uaa/oauth/clients/${OAUTH_CLIENT_ID}" -s -k -X PUT \ + -o /dev/null -w "%{http_code}" \ + -H 'Content-Type: application/json' \ + -H "Authorization: Bearer ${_token}" \ + -H 'Accept: application/json' \ + -d "${_update_body}") + + if [ "${_resp}" == '200' ]; then + echo " Grafana OAuth redirect added." + else + echo >&2 "ERROR: OAuth client redirect update failed with status code ${_resp}." + exit 1 + fi +} + +_uaa_secret_data=$(kubectl -n "${ESP_NAMESPACE}" get secret uaa-secret --output json) +UAA_ADMIN=$(echo "${_uaa_secret_data}" | jq -r '.data.username | @base64d') +export UAA_ADMIN +UAA_SECRET=$(echo "${_uaa_secret_data}" | jq -r '.data.password | @base64d') +export UAA_SECRET + +add_grafana_auth_redirect_uaa diff --git a/install/register-oauth-client-viya.sh b/install/register-oauth-client-viya.sh new file mode 100644 index 0000000..744f58d --- /dev/null +++ b/install/register-oauth-client-viya.sh @@ -0,0 +1,51 @@ +#!/usr/bin/env bash + +set -e -o pipefail -o nounset + +function fetch_consul_token () { + _token=$(kubectl -n "${ESP_NAMESPACE}" get secret sas-consul-client -o go-template='{{ .data.CONSUL_TOKEN | base64decode}}') + + echo ${_token} +} + +function fetch_saslogon_token () { + _token=$(fetch_consul_token) + _resp=$(curl -k -X POST "https://$ESP_DOMAIN/SASLogon/oauth/clients/consul?callback=false&serviceId=app" -H "X-Consul-Token: ${_token}") + + echo "${_resp}" | jq -r '.access_token' +} + +function register_oauth_client () { + _token="$(fetch_saslogon_token)" + + _redirecturl="https://${ESP_DOMAIN}/grafana/login/generic_oauth" + + _body='{ + "scope": ["*"], + "client_id": "'"${OAUTH_CLIENT_ID}"'", + "client_secret": "'"${OAUTH_CLIENT_SECRET}"'", + "authorized_grant_types": ["authorization_code"], + "redirect_uri": ["'"${_redirecturl}"'"], + "autoapprove": ["true"], + "name": "Grafana" + }' + + _resp=$(curl -k -X POST "https://$ESP_DOMAIN/SASLogon/oauth/clients" \ + -H 'Content-Type: application/json' \ + -H "Authorization: Bearer ${_token}" \ + -d "${_body}") + + regex_error="error" + if [[ "${_resp}" =~ $regex_error ]]; then + error=$(echo "${_resp}" | jq -r '.error') + error_description=$(echo "${_resp}" | jq -r '.error_description') + echo >&2 "Failed to register Grafana as OAuth client" + echo >&2 "${error}: ${error_description}" + + else + echo "Grafana registered as OAuth client" + fi + +} + +register_oauth_client diff --git a/install/remove-oauth-keycloak.sh b/install/remove-oauth-keycloak.sh new file mode 100644 index 0000000..9ada91c --- /dev/null +++ b/install/remove-oauth-keycloak.sh @@ -0,0 +1,102 @@ +#!/usr/bin/env bash + +set -e -o pipefail -o nounset + +KEYCLOAK_SUBPATH="${KEYCLOAK_SUBPATH:-auth}" + +ESP_NAMESPACE="${1}" + +function check_requirements() { + + [ -z "$KUBECONFIG" ] && { + echo "KUBECONFIG environment variable unset." >&2 + exit 1 + } + + [ -z "${ESP_NAMESPACE}" ] && { + echo "Usage: ${0} " >&2 + exit 1 + } + + if ! kubectl get namespace "${ESP_NAMESPACE}" 2>/dev/null 1>&2; then + echo >&2 "ERROR: Namespace ${ESP_NAMESPACE} not found." + exit 1 + fi + + if ! kubectl -n "${ESP_NAMESPACE}" get secret keycloak-admin-secret 2>/dev/null 1>&2; then + echo >&2 "ERROR: No Keycloak admin secret found under namespace ${ESP_NAMESPACE}." + exit 1 + fi + + if ! kubectl -n "${ESP_NAMESPACE}" get secret oauth2-proxy-client-secret 2>/dev/null 1>&2; then + echo >&2 "ERROR: No OAuth2 Proxy client secret found under namespace ${ESP_NAMESPACE}." + exit 1 + fi +} + +# Fetch access token to perform admin tasks: +function fetch_keycloak_admin_token() { + _resp=$(curl "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/realms/master/protocol/openid-connect/token" -s -k -X POST \ + -H 'Content-Type: application/x-www-form-urlencoded' \ + -H 'Accept: application/json' \ + -d "client_id=admin-cli&grant_type=password&username=${KEYCLOAK_ADMIN}&password=${KEYCLOAK_SECRET}") + + echo "${_resp}" | jq -r '.access_token' +} + +function delete_role() { + _role_name="${1}" + curl -s -k -X DELETE \ + "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients/${_client_id}/roles/${_role_name}" \ + -H "Authorization: Bearer ${_token}" +} + +function remove_protocol_mapper() { + # Get mapper id: + _mappers=$(curl -s -k -X GET "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients/${_client_id}/protocol-mappers/models" -H "Authorization: Bearer ${_token}") + _mapper_id=$(echo "${_mappers}" | jq -r '.[] | select(.name == "GrafanaRoles") | .id') + # Delete mapper: + curl -s -k -X DELETE "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients/${_client_id}/protocol-mappers/models/${_mapper_id}" -H "Authorization: Bearer ${_token}" +} + +function remove_keycloak_roles() { + _token="$(fetch_keycloak_admin_token)" + # Get sas-esp realm clients: + _kc_clients=$(curl -s -k -X GET "https://${ESP_DOMAIN}/${KEYCLOAK_SUBPATH}/admin/realms/sas-esp/clients" -H "Authorization: Bearer ${_token}") + # Get OAuth2 Proxy client ID: + _client_id=$(echo "${_kc_clients}" | jq -r --arg opid "${OAUTH_CLIENT_ID}" '.[] | select(.clientId == $opid) | .id') + # Delete Grafana roles: + delete_role "grafana-admin" + delete_role "admin" + delete_role "editor" + # Remove Grafana role protocol mapper: + remove_protocol_mapper +} + +# Fail fast on missing requirements: +check_requirements + +echo "Fetching required deployment information..." +ESP_DOMAIN=$(kubectl -n "${ESP_NAMESPACE}" get ingress --output json | jq -r '.items[0].spec.rules[0].host') +export ESP_DOMAIN + +_oauth2_proxy_secret=$(kubectl -n "${ESP_NAMESPACE}" get secret oauth2-proxy-client-secret --output json) +OAUTH_CLIENT_ID=$(echo "${_oauth2_proxy_secret}" | jq -r '.data.OAUTH2_PROXY_CLIENT_ID | @base64d') +export OAUTH_CLIENT_ID + +_keycloak_admin_secret=$(kubectl -n "${ESP_NAMESPACE}" get secret keycloak-admin-secret --output json) +KEYCLOAK_ADMIN=$(echo "${_keycloak_admin_secret}" | jq -r '.data.username | @base64d') +export KEYCLOAK_ADMIN +KEYCLOAK_SECRET=$(echo "${_keycloak_admin_secret}" | jq -r '.data.password | @base64d') +export KEYCLOAK_SECRET + +cat <&2 "WARN: Grafana OAuth client redirect removal failed with status code ${_resp}." + fi +} + +[ -d "./manifests" ] || { + echo "No manifest directory found." >&2 + exit 1 +} + +[ -z "$KUBECONFIG" ] && { + echo "KUBECONFIG environment variable unset." >&2 + exit 1 +} + +[ -z "${ESP_NAMESPACE}" ] && { + echo "Usage: ${0} " >&2 + exit 1 +} + +echo "Fetching required deployment information..." +ESP_DOMAIN=$(kubectl -n "${ESP_NAMESPACE}" get ingress --output json | + jq -r '.items[0].spec.rules[0].host') +export ESP_DOMAIN + +_uaa_secret_data=$(kubectl -n "${ESP_NAMESPACE}" get secret uaa-secret --output json) +UAA_ADMIN=$(echo "${_uaa_secret_data}" | jq -r '.data.username | @base64d') +export UAA_ADMIN +UAA_SECRET=$(echo "${_uaa_secret_data}" | jq -r '.data.password | @base64d') +export UAA_SECRET + +cat <