CronJob script used to refresh the OIDC token used by Prometheus Blackbox Exporter

cronjob-refresh-oidc-token.sh

#!/bin/bash

set -e

echo "Starting OIDC token generation process..."

# OIDC Token Request
echo "Requesting OIDC token from ${TOKEN_ENDPOINT//\{tenantId\}/$TENANT_ID}..."
TOKEN_RESPONSE=$(curl -s -X POST "${TOKEN_ENDPOINT//\{tenantId\}/$TENANT_ID}" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=$CLIENT_ID" \
  -d "scope=$SCOPE" \
  -d "client_secret=$CLIENT_SECRET" \
  -d "grant_type=client_credentials" \
  -w "\nHTTP_STATUS:%{http_code}")

HTTP_STATUS=$(echo "$TOKEN_RESPONSE" | grep HTTP_STATUS | cut -d':' -f2)
TOKEN_RESPONSE=$(echo "$TOKEN_RESPONSE" | grep -v HTTP_STATUS)

echo "OIDC token request completed with status: $HTTP_STATUS"

if [ "$HTTP_STATUS" != "200" ]; then
  echo "Failed to obtain OIDC token. Response:"
  echo "$TOKEN_RESPONSE"
  exit 1
fi

ACCESS_TOKEN=$(echo $TOKEN_RESPONSE | sed -n 's/.*"access_token":"\([^"]*\)".*/\1/p')
EXPIRY=$(echo $TOKEN_RESPONSE | sed -n 's/.*"expires_in":*\([^,}]*\).*/\1/p')

if [ -z "$ACCESS_TOKEN" ]; then
  echo "Failed to extract access token from response"
  exit 1
fi

echo "OIDC token obtained successfully. Expiry: $EXPIRY seconds"

# Create or update the Kubernetes secret
echo "Preparing Kubernetes secret payload..."
SECRET_DATA=$(echo -n "$ACCESS_TOKEN" | base64 -w 0)
SECRET_PAYLOAD="{
  \"apiVersion\": \"v1\",
  \"kind\": \"Secret\",
  \"metadata\": {
    \"name\": \"$TOKEN_SECRET_NAME\",
    \"namespace\": \"$NAMESPACE\"
  },
  \"type\": \"Opaque\",
  \"data\": {
    \"access_token\": \"$SECRET_DATA\"
  }
}"

# Kubernetes API Request
echo "Checking if secret exists..."
SECRET_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
  -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
  "https://kubernetes.default.svc/api/v1/namespaces/$NAMESPACE/secrets/$TOKEN_SECRET_NAME")

if [ "$SECRET_EXISTS" = "200" ]; then
  echo "Secret exists. Updating..."
  K8S_RESPONSE=$(curl -s -X PUT \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
    "https://kubernetes.default.svc/api/v1/namespaces/$NAMESPACE/secrets/$TOKEN_SECRET_NAME" \
    -d "$SECRET_PAYLOAD" \
    -w "\nHTTP_STATUS:%{http_code}")
else
  echo "Secret does not exist. Creating..."
  K8S_RESPONSE=$(curl -s -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
    "https://kubernetes.default.svc/api/v1/namespaces/$NAMESPACE/secrets" \
    -d "$SECRET_PAYLOAD" \
    -w "\nHTTP_STATUS:%{http_code}")
fi

K8S_STATUS=$(echo "$K8S_RESPONSE" | grep HTTP_STATUS | cut -d':' -f2)
K8S_RESPONSE=$(echo "$K8S_RESPONSE" | grep -v HTTP_STATUS)

echo "Kubernetes API request completed with status: $K8S_STATUS"

if [ "$K8S_STATUS" != "201" ] && [ "$K8S_STATUS" != "200" ]; then
  echo "Failed to update Kubernetes secret. Response:"
  echo "$K8S_RESPONSE"
  exit 1
fi

echo "Token updated successfully in Kubernetes secret '{{ .Values.secrets.token.name }}'"

Avoided using 'jq' in order to use curl/curl image.