Merge pull request #3713 from Azure/niontive/ARO-8986

Add scripts for creating and persisting mock cluster MSI

docs/deploy-development-rp.md

@@ -51,6 +51,9 @@
    SECRET_SA_ACCOUNT_NAME=rharosecretsdev make secrets
    ```
 
+1. Run [msi.sh](../hack/devtools/msi.sh) to create a service principal and self-signed certificate to 
+mock a cluster MSI. Save the output values for `Client ID`, `Base64 Encoded Certificate`, and `Tenant`.
+
 1. Copy, edit (if necessary) and source your environment file.  The required
    environment variable configuration is documented immediately below:
 
@@ -64,6 +67,9 @@
      `eastus`).
    * `RP_MODE`: Set to `development` to use a development RP running at
      https://localhost:8443/.
+   * `MOCK_MSI_CLIENT_ID`: Client ID for service principal that mocks cluster MSI (see previous step).
+   * `MOCK_MSI_CERT`: Base64 encoded certificate for service principal that mocks cluster MSI (see previous step).
+   * `MOCK_MSI_TENANT_ID`: Tenant ID for service principal that mocks cluster MSI (see previous step).
 
 1. Create your own RP database:
 

hack/devtools/local_dev_env.sh

@@ -39,7 +39,58 @@ ask_to_create_default_env_config() {
     fi
 }
 
+# We use a service principal and certificate as the mock MSI object
+create_mock_msi() {
+    appName="mock-msi-$(openssl rand -base64 9 | tr -dc 'a-zA-Z0-9' | head -c 6)"
+    az ad sp create-for-rbac --name $appName --create-cert --output json
+}
+
+get_mock_msi_clientID() {
+    echo "$1" | jq -r .appId
+}
+
+get_mock_msi_tenantID() {
+    echo "$1" | jq -r .tenant
+}
+
+get_mock_msi_cert() {
+    certFilePath=$(echo "$1" | jq -r '.fileWithCertAndPrivateKey')
+    base64EncodedCert=$(base64 -w 0 $certFilePath)
+    rm $certFilePath
+    echo $base64EncodedCert
+}
+
 create_env_file() {
+    local answer
+    read -p "Do you want to create an env file for Managed/Workload identity development? " answer
+    if [[ "$answer" == "y" || "$answer" == "Y" ]]; then
+        create_miwi_env_file
+    else 
+        create_regular_env_file
+    fi
+}
+
+create_miwi_env_file() {
+    echo "INFO: Creating default env config file for managed/workload identity development..."
+
+    mockMSI=$(create_mock_msi)
+    mockClientID=$(get_mock_msi_clientID "$mockMSI")
+    mockTenantID=$(get_mock_msi_tenantID "$mockMSI")
+    mockCert=$(get_mock_msi_cert "$mockMSI")
+
+    cat >env <<EOF
+export LOCATION=eastus
+export ARO_IMAGE=arointsvc.azurecr.io/aro:latest
+export RP_MODE=development # to use a development RP running at https://localhost:8443/
+export MOCK_MSI_CLIENT_ID="$mockClientID"
+export MOCK_MSI_TENANT_ID="$mockTenantID"
+export MOCK_MSI_CERT="$mockCert"
+
+source secrets/env
+EOF
+}
+
+create_regular_env_file() {
     echo "INFO: Creating default env config file..."
 
     cat >env <<EOF
@@ -51,6 +102,7 @@ source secrets/env
 EOF
 }
 
+
 ask_to_create_Azure_deployment() {
     local answer
     read -p "Create Azure deployment in the current subscription ($AZURE_SUBSCRIPTION_ID)? (y / n / l (list existing deployments)) " answer
@@ -107,4 +159,6 @@ main() {
     run_the_RP
 }
 
-main
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main
+fi

hack/devtools/msi.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# This script creates a mock MSI object to use for local development
+# We use a service principal and certificate as the mock object
+
+scriptPath=$(realpath "$0")
+scriptDir=$(dirname "$scriptPath")
+
+source "$scriptDir/local_dev_env.sh"
+
+sp=$(create_mock_msi)
+if [[ -z "$sp" ]]; then
+    echo "Failed to create mock MSI object"
+    exit 1
+fi
+clientID=$(get_mock_msi_clientID "$sp")
+tenantID=$(get_mock_msi_tenantID "$sp")
+base64EncodedCert=$(get_mock_msi_cert "$sp")
+
+# Print the extracted values
+echo "Client ID: $clientID"
+echo "Tenant ID: $tenantID"
+echo "Base64 Encoded Certificate: $base64EncodedCert"