holos/hack/choria/initialize/make-provisioning-jwt

#! /bin/bash
#
# Make a provisioner.jwt and put it in the current directory.
#
# Use the provisioner.jwt with `holos controller --config=controller.cfg` which
# will read the jwt from the same directory as the config file.
#
# Refer to Arri's
# [setup.sh](https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/setup.sh#L41)
# And our own nites at https://github.com/holos-run/holos/issues/142

PARENT="$(cd $(dirname "$0") && pwd)"
OUTDIR="$(pwd)"

: "${NAMESPACE:=jeff-holos}"

tmpdir="$(mktemp -d)"
finish() {
  [[ -d "$tmpdir" ]] && rm -rvf "$tmpdir"
}
trap finish EXIT
cd "$tmpdir"

set -xeuo pipefail

# e.g. jeff.provision.dev.k2.holos.run
#
kubectl -n $NAMESPACE get virtualservice choria-broker-wss -o json > vs.json
jq --exit-status -r '.spec.hosts[0]' vs.json > host

# Get the issuer.seed
holos -n $NAMESPACE get secret choria-issuer --to-file issuer.seed

# Get the provisioner token to embed in the provisioning.jwt file.
holos -n $NAMESPACE get secret choria-provisioner --to-file token

# The --token flag value must be the same value set in the token field of provisioner.yaml
# Refer to https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/setup.sh#L41
# Refer to https://github.com/ripienaar/machine-room-mvp/blob/main/example/setup/templates/provisioner/provisioner.yaml#L6
choria jwt prov provisioning.jwt "issuer.seed" \
  --token "$(<token)" \
  --urls wss://$(<host):443 \
  --default \
  --protocol-v2 \
  --insecure \
  --update \
  --validity 30d \
  --extensions '{}'

cp provisioning.jwt "${OUTDIR}/"