Use a specific template for gMSA

kubernetes-sigs · Mar 31, 2022 · 4eb2c61 · 4eb2c61
1 parent a20fe60
commit 4eb2c61
Show file tree

Hide file tree

Showing 9 changed files with 10,551 additions and 67 deletions.
diff --git a/scripts/gmsa/setup-gmsa.sh b/scripts/gmsa/setup-gmsa.sh
@@ -105,6 +105,24 @@ main() {
         sleep 10
     done
 
+    cloudproviderId=$(az identity show --name cloud-provider-user-identity --resource-group $CI_RG --query 'principalId' -o tsv || true)
+    if [[ -z $cloudproviderId ]]; then 
+        cloudproviderId=$(az identity create -g $CI_RG -n cloud-provider-user-identity --query 'principalId' -o tsv)
+    fi
+
+    # on first run this takes ~1-2 mins
+    until az role assignment create --role "Contributor" --assignee-object-id $cloudproviderId  --assignee-principal-type ServicePrincipal &> /dev/null
+    do 
+        echo "wait for role propgation"
+        sleep 10
+    done
+
+    until az role assignment create --role "AcrPull" --assignee-object-id $cloudproviderId  --assignee-principal-type ServicePrincipal &> /dev/null
+    do 
+        echo "wait for role propgation"
+        sleep 10
+    done
+
     # make sure the service CI principal has read access to set up tests
     ciSP=$(az ad sp show --id "$CI_CLIENT_ID" --query objectId -o tsv)
     az keyvault set-policy --name "${GMSA_KEYVAULT}" --object-id "$ciSP" --secret-permissions get delete list purge