Skip to content

Commit ea41a47

Browse files
committed
feat: use newrelic-auth-cli to manage system id creation
1 parent e89772c commit ea41a47

File tree

2 files changed

+45
-165
lines changed

2 files changed

+45
-165
lines changed

charts/agent-control-deployment/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: A Helm chart to install New Relic Agent Control on Kubernetes
44

55
type: application
66

7-
version: 0.0.52
7+
version: 0.0.53
88
appVersion: "0.39.0"
99

1010
dependencies:

charts/agent-control-deployment/templates/preinstall-job-register-system-identity.yaml

Lines changed: 44 additions & 164 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ spec:
9999
key: {{ include "newrelic-agent-control.auth.l1IdentityCredentialsKey.clientSecretKeyName" . }}
100100
{{- end }}
101101
command:
102-
- ash
102+
- bash
103103
args:
104104
- -c
105105
- |
@@ -111,180 +111,60 @@ spec:
111111
exit 0
112112
fi
113113
114-
echo Generating the Keys...
115-
TEMPORAL_FOLDER=gen-folder
116-
mkdir $TEMPORAL_FOLDER
117-
openssl genrsa -out "$TEMPORAL_FOLDER/key" 4096
118-
openssl rsa -in "$TEMPORAL_FOLDER/key" -pubout -out "$TEMPORAL_FOLDER/pub"
119-
120-
echo Key generated, creating the identity...
121-
if [ "${NEW_RELIC_AUTH_CLIENT_ID:-}" != "" ] && [ "${NEW_RELIC_AUTH_CLIENT_SECRET:-}" != "" ]; then
122-
echo Starting with L1 System Identity...
123-
############################################################
124-
# Get the L1 Access Token
125-
############################################################
126-
RESPONSE_FILE=$TEMPORAL_FOLDER/response_token.json
127-
for RETRY in 1 2 3; do
128-
HTTP_CODE=$(echo '{"client_id": "'$NEW_RELIC_AUTH_CLIENT_ID'", "client_secret": "'$NEW_RELIC_AUTH_CLIENT_SECRET'", "grant_type": "client_credentials"}' | tr -d $'\n' | curl \
129-
-s -S -w "%{http_code}" \
130-
-H "Content-Type: application/json" \
131-
-o "$RESPONSE_FILE" \
132-
--data-binary @- \
133-
--max-time 60 \
134-
"{{ include "newrelic-agent-control.config.endpoints.tokenRenewal" . }}")
114+
echo "Secret not present, creating a new System Identity..."
135115
136-
if [ $HTTP_CODE -eq 200 ]; then
137-
break
138-
fi
116+
REGION={{ include "newrelic.common.region" . }}
117+
echo "Authenticating with New Relic ($REGION)..."
139118
140-
if [ -z "$HTTP_CODE" ] || [ "$HTTP_CODE" -eq 0 ]; then
141-
echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
142-
sleep 2
143-
continue
144-
else
145-
if jq empty "$TEMPORAL_FOLDER/response_token.json" > /dev/null 2>&1; then
146-
ERROR_MESSAGE=$(jq '.error_description // "invalid_request"' < "$TEMPORAL_FOLDER/response_token.json" | tr -d '"')
147-
echo "Error getting system identity auth token. The API endpoint returned $HTTP_CODE: $ERROR_MESSAGE. Retrying ($RETRY/3)..."
148-
sleep 2
149-
else
150-
echo -n "Error getting system identity auth token. The API endpoint returned $HTTP_CODE: " && cat "$TEMPORAL_FOLDER/response_token.json" | tr -d '\n' && echo " Retrying ($RETRY/3)..."
151-
sleep 2
152-
continue
153-
fi
154-
fi
155-
done
119+
ACCESS_TOKEN=""
120+
for RETRY in 1 2 3; do
121+
ACCESS_TOKEN=$(newrelic-auth-cli authenticate --client-id "$NEW_RELIC_AUTH_CLIENT_ID" --client-secret "$NEW_RELIC_AUTH_CLIENT_SECRET" --environment "$REGION" --output-token-format Plain)
156122
157-
if [ $HTTP_CODE -ne 200 ]; then
158-
echo "Error getting system identity auth token"
159-
exit 99
123+
if [ -n "$ACCESS_TOKEN" ]; then
124+
echo "Access token obtained successfully"
125+
break
160126
fi
161127
162-
ACCESS_TOKEN=$(jq '.access_token' < "$RESPONSE_FILE" | tr -d '"' )
163-
164-
echo Starting with L2 System Identity...
165-
############################################################
166-
# Create System Identity (L1/L2 System Identities)
167-
############################################################
168-
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
169-
NAME="System Identity for $(hostname) - $DATE"
170-
171-
for RETRY in 1 2 3; do
172-
HTTP_CODE=$(echo '{ "query":
173-
"mutation {
174-
systemIdentityCreate(
175-
name: \"'$NAME'\",
176-
organizationId: \"{{ include "newrelic-agent-control.auth.organizationId" . }}\",
177-
publicKey: \"'$(openssl enc -base64 -A -in "$TEMPORAL_FOLDER/pub")'\"
178-
) {
179-
clientId,
180-
name
181-
}
182-
}"
183-
}' | tr -d $'\n' | curl \
184-
-s -S -w "%{http_code}" \
185-
-H "Content-Type: application/json" \
186-
-H "Authorization: Bearer $ACCESS_TOKEN" \
187-
-o "$TEMPORAL_FOLDER/response.json" \
188-
--data-binary @- \
189-
--max-time 60 \
190-
"{{ include "newrelic-agent-control.config.endpoints.systemIdentityCreation" . }}"
191-
)
192-
193-
if [ $HTTP_CODE -eq 200 ]; then
194-
break
195-
fi
196-
197-
if [ -z "$HTTP_CODE" ] || [ "$HTTP_CODE" -eq 0 ]; then
198-
echo "Network error occurred or no HTTP response was received during L2 identity creation. Retrying ($RETRY/3)..."
199-
sleep 2
200-
continue
201-
else
202-
if jq empty "$TEMPORAL_FOLDER/response_token.json" > /dev/null 2>&1; then
203-
ERROR_MESSAGE=$(jq '.errors[0].message // "invalid_request"' < "$TEMPORAL_FOLDER/response_token.json" | tr -d '"')
204-
echo "Error creating L2 system identity. The API endpoint returned $HTTP_CODE: $ERROR_MESSAGE. Retrying ($RETRY/3)..."
205-
sleep 2
206-
else
207-
echo -n "Error creating L2 system identity. The API endpoint returned $HTTP_CODE: " && cat "$TEMPORAL_FOLDER/response_token.json" | tr -d '\n' && echo " Retrying ($RETRY/3)..."
208-
sleep 2
209-
continue
210-
fi
211-
fi
212-
done
213-
214-
if [ $HTTP_CODE -ne 200 ]; then
215-
echo "Error: The API endpoint returned HTTP code $HTTP_CODE."
216-
exit 99
128+
if [ -z $ACCESS_TOKEN ]; then
129+
echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
130+
sleep 2
131+
continue
217132
fi
133+
done
218134
219-
if jq empty "$TEMPORAL_FOLDER/response_token.json" > /dev/null 2>&1; then
220-
ERROR_MESSAGE=$(jq '.errors[0].message // "NOERROR"' < "$TEMPORAL_FOLDER/response.json" | tr -d '"')
221-
if [ "$ERROR_MESSAGE" != "NOERROR" ]; then
222-
echo "Failed to create a New Relic System Identity L2 for Fleet Control communication authentication. Please verify that your User Key is valid and that your Account Organization has the necessary permissions to create a System Identity: $ERROR_MESSAGE"
223-
exit 100
224-
fi
225-
fi
226-
227-
CLIENT_ID=$(jq '.data.systemIdentityCreate.clientId' < "$TEMPORAL_FOLDER/response.json" | tr -d '"' )
228-
else
229-
echo Starting with Legacy UserApiKey System Identity...
230-
############################################################
231-
# Create System Identity (Legacy)
232-
############################################################
233-
for RETRY in 1 2 3; do
234-
HTTP_CODE=$(echo '{ "query":
235-
"mutation {
236-
systemIdentityCreate(
237-
name: \"System Identity for Kubernetes cluster '{{ include "newrelic.common.cluster" . }}'\",
238-
organizationId: \"{{ include "newrelic-agent-control.auth.organizationId" . }}\",
239-
publicKey: \"'$(openssl enc -base64 -A -in "$TEMPORAL_FOLDER/pub")'\"
240-
) {
241-
clientId,
242-
name
243-
}
244-
}"
245-
}' | tr -d $'\n' | \
246-
curl \
247-
-s -S -w "%{http_code}" \
248-
-H "Content-Type: application/json" \
249-
-H "API-Key: $USER_KEY" \
250-
-o "$TEMPORAL_FOLDER/response.json" \
251-
--data @- \
252-
--max-time 60 \
253-
"{{ include "newrelic-agent-control.config.endpoints.systemIdentityRegistration" . }}"
254-
)
255-
if [ $HTTP_CODE -eq 200 ]; then
256-
break
257-
fi
258-
259-
if [ -z "$HTTP_CODE" ] || [ "$HTTP_CODE" -eq 0 ]; then
260-
echo "Network error occurred or no HTTP response was received during legacy identity creation. Retrying ($RETRY/3)..."
261-
sleep 2
262-
continue
263-
else
264-
if jq empty "$TEMPORAL_FOLDER/response_token.json" > /dev/null 2>&1; then
265-
ERROR_MESSAGE=$(jq '.errors[0].message // "invalid_request"' < "$TEMPORAL_FOLDER/response_token.json" | tr -d '"')
266-
echo "Error creating the new legacy system identity. The API endpoint returned $HTTP_CODE: $ERROR_MESSAGE. Retrying ($RETRY/3)..."
267-
sleep 2
268-
else
269-
echo -n "Error creating the new legacy system identity. The API endpoint returned $HTTP_CODE: " && cat "$TEMPORAL_FOLDER/response_token.json" | tr -d '\n' && echo " Retrying ($RETRY/3)..."
270-
sleep 2
271-
continue
272-
fi
273-
fi
274-
done
135+
if [ -z "$ACCESS_TOKEN" ]; then
136+
echo "Error getting system identity auth token"
137+
exit 99
138+
fi
275139
276-
if [ $HTTP_CODE -ne 200 ]; then echo HTTP_CODE=$HTTP_CODE ;exit 1; fi
140+
echo "Authenticated successfully"
141+
echo "Creating System Identity..."
277142
278-
if jq empty "$TEMPORAL_FOLDER/response_token.json" > /dev/null 2>&1; then
279-
ERROR_MESSAGE=$(jq '.errors[0].message // "NOERROR"' < "$TEMPORAL_FOLDER/response.json" | tr -d '"')
280-
if [ "$ERROR_MESSAGE" != "NOERROR" ]; then
281-
echo "Failed to create a New Relic Legacy System Identity for Fleet Control communication authentication. Please verify that your User Key is valid and that your Account Organization has the necessary permissions to create a System Identity: $ERROR_MESSAGE"
282-
exit 100
283-
fi
143+
ORG_ID={{ include "newrelic-agent-control.auth.organizationId" . }}
144+
TEMPORAL_FOLDER=gen-folder
145+
mkdir $TEMPORAL_FOLDER
146+
CLIENT_ID=""
147+
DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
148+
NAME="System Identity for $(hostname) - $DATE"
149+
for RETRY in 1 2 3; do
150+
OUTPUT=$(newrelic-auth-cli create-identity key --name "$NAME" --organization-id "$ORG_ID" --client-id "$NEW_RELIC_AUTH_CLIENT_ID" --environment "$REGION" --bearer-access-token "$ACCESS_TOKEN" --output-platform "local-file" --output-local-filepath "$TEMPORAL_FOLDER/key")
151+
CLIENT_ID=$(echo "$OUTPUT" | jq -r '.client_id // empty')
152+
153+
if [ -n "$CLIENT_ID" ]; then
154+
echo "System identity created successfully"
155+
break
284156
fi
285-
286-
CLIENT_ID=$(jq -r '.data.systemIdentityCreate.clientId' "$TEMPORAL_FOLDER/response.json")
157+
if [ -z "$CLIENT_ID" ]; then
158+
echo "Network error occurred or no HTTP response was received. Retrying ($RETRY/3)..."
159+
sleep 2
160+
continue
161+
fi
162+
done
163+
if [ -z "$CLIENT_ID" ]; then
164+
echo "Error creating system identity"
165+
exit 99
287166
fi
167+
288168
echo Creating the secret '{{ include "newrelic-agent-control.auth.secret.name" . }}'...
289169
kubectl create secret generic --dry-run=client -o json \
290170
{{ include "newrelic-agent-control.auth.secret.name" . }} \

0 commit comments

Comments
 (0)