gorgeous-lunch-7514
09/14/2023, 2:17 PM// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});
// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
const parsedJwksUri = new URL(config.jwks_uri);
// Use TLS to get hostname's SSL certificate.
const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
return new Promise((resolve, reject) => {
tlsSocket.on("secureConnect", () => {
const certificate = tlsSocket.getPeerCertificate();
tlsSocket.end();
console.log(certificate.fingerprint)
const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
resolve(fingerprint);
});
tlsSocket.on("error", (error) => {
reject(error);
});
});
});
billowy-army-68599
gorgeous-lunch-7514
09/14/2023, 2:19 PMbillowy-army-68599
gorgeous-lunch-7514
09/14/2023, 2:20 PM// Get OIDC issuer identity.
const oidcProviderURL = cluster.eksCluster.identities.apply(identities => {
return identities[0].oidcs[0].issuer.replace(/(^\w+:|^)\/\//, "").replace(/\/$/, "");
});
// Get AWS Account ID.
const awsAccountID = aws.getCallerIdentity().then(identity => identity.accountId);
// OpenID config
const oidcConfig = oidcProviderURL.apply(url => {
return axios.get(`https://${url}/.well-known/openid-configuration`).then(response => response.data);
});
// Get thumbprint of the OIDC issuer identity using certificate authority data.
const oidcProviderThumbprint = oidcConfig.apply(config => {
const parsedJwksUri = new URL(config.jwks_uri);
// Use TLS to get hostname's SSL certificate.
const tlsSocket = tls.connect(443, parsedJwksUri.hostname, { servername: parsedJwksUri.hostname });
return new Promise((resolve, reject) => {
tlsSocket.on("secureConnect", () => {
const certificate = tlsSocket.getPeerCertificate();
tlsSocket.end();
console.log(certificate.fingerprint)
const fingerprint = certificate.fingerprint.replace(/:/g, "").toUpperCase();
resolve(fingerprint);
});
tlsSocket.on("error", (error) => {
reject(error);
});
});
});
// Get thumbprint of the OIDC issuer identity using certificate authority data.
// const oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
// const data = ca.data;
// const ascii = Buffer.from(data, "base64").toString("ascii");
// const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
// return thumbprint.toUpperCase();
// });
// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
url: oidcProviderURL.apply(url => `https://${url}`),
thumbprintLists: [oidcProviderThumbprint],
});
billowy-army-68599
gorgeous-lunch-7514
09/14/2023, 2:23 PMconst oidcProviderThumbprint = cluster.eksCluster.certificateAuthority.apply(ca => {
const data = ca.data;
const ascii = Buffer.from(data, "base64").toString("ascii");
const thumbprint = crypto.createHash("sha1").update(ascii).digest("hex");
return thumbprint;
});
billowy-army-68599
getCertificate
from the TLS package is likely easiergorgeous-lunch-7514
09/14/2023, 2:26 PM// Create an IAM OIDC provider.
const oidcProvider = new aws.iam.OpenIdConnectProvider(`${projectName}-oidc-provider`, {
clientIdLists: ["<http://sts.amazonaws.com|sts.amazonaws.com>"],
url: oidcProviderURL.apply(url => `https://${url}`),
thumbprintLists: oidcProviderURL.apply(url => {
// Get certificate of the OIDC issuer identity using certificate of the OIDC hostname using TLS
const certificate = tls.getCertificate({
url: `https://${url}`,
});
return certificate.then(certificate => {
return [certificate.certificates[0].sha1Fingerprint];
});
}),
});