зеркало из https://github.com/Azure/ARO-RP.git
Merge pull request #857 from mjudeikis/split.env
Split RP and tooling SP
This commit is contained in:
Mangirdas Judeikis
GitHub
Коммит
b366b92f3e
|
|
@ -7,6 +7,9 @@
|
|||
},
|
||||
"fpServicePrincipalId": {
|
||||
"type": "string"
|
||||
},
|
||||
"devServicePrincipalId":{
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -77,6 +80,28 @@
|
|||
"principalType": "ServicePrincipal"
|
||||
},
|
||||
"apiVersion": "2018-09-01-preview"
|
||||
},
|
||||
{
|
||||
"name": "[guid(subscription().id, 'Dev / Contributor')]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"properties": {
|
||||
"scope": "[subscription().id]",
|
||||
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
|
||||
"principalId": "[parameters('devServicePrincipalId')]",
|
||||
"principalType": "ServicePrincipal"
|
||||
},
|
||||
"apiVersion": "2018-09-01-preview"
|
||||
},
|
||||
{
|
||||
"name": "[guid(subscription().id, 'Dev / User Access Administrator')]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"properties": {
|
||||
"scope": "[subscription().id]",
|
||||
"roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]",
|
||||
"principalId": "[parameters('devServicePrincipalId')]",
|
||||
"principalType": "ServicePrincipal"
|
||||
},
|
||||
"apiVersion": "2018-09-01-preview"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -128,10 +128,31 @@ locations.
|
|||
|
||||
1. Create an AAD application which will fake up the RP identity.
|
||||
|
||||
```bash
|
||||
AZURE_RP_CLIENT_SECRET="$(uuidgen)"
|
||||
AZURE_RP_CLIENT_ID="$(az ad app create \
|
||||
--display-name aro-v4-rp-shared \
|
||||
--end-date '2299-12-31T11:59:59+00:00' \
|
||||
--identifier-uris "https://$(uuidgen)/" \
|
||||
--key-type password \
|
||||
--password "$AZURE_CLIENT_SECRET" \
|
||||
--query appId \
|
||||
-o tsv)"
|
||||
az ad sp create --id "$AZURE_RP_CLIENT_ID" >/dev/null
|
||||
```
|
||||
|
||||
Later this application will be granted:
|
||||
|
||||
* `Reader` on RESOURCEGROUP.
|
||||
* `Secrets / Get` on the key vault in RESOURCEGROUP.
|
||||
* `DocumentDB Account Contributor` on the CosmosDB resource in RESOURCEGROUP.
|
||||
|
||||
1. Create an AAD application which will be used by E2E and tooling.
|
||||
|
||||
```bash
|
||||
AZURE_CLIENT_SECRET="$(uuidgen)"
|
||||
AZURE_CLIENT_ID="$(az ad app create \
|
||||
--display-name aro-v4-rp-shared \
|
||||
--display-name aro-v4-tooling-shared \
|
||||
--end-date '2299-12-31T11:59:59+00:00' \
|
||||
--identifier-uris "https://$(uuidgen)/" \
|
||||
--key-type password \
|
||||
|
|
@ -143,9 +164,8 @@ locations.
|
|||
|
||||
Later this application will be granted:
|
||||
|
||||
* `Reader` on RESOURCEGROUP.
|
||||
* `Secrets / Get` on the key vault in RESOURCEGROUP.
|
||||
* `DocumentDB Account Contributor` on the CosmosDB resource in RESOURCEGROUP.
|
||||
* `Contributor` on your subscription.
|
||||
* `User Access Administrator` on your subscription.
|
||||
|
||||
1. Set up the RP role definitions and subscription role assignments in your
|
||||
Azure subscription. This mimics the RBAC that ARM sets up. With at least
|
||||
|
|
@ -158,6 +178,7 @@ locations.
|
|||
--parameters \
|
||||
"armServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_ARM_CLIENT_ID'" --query '[].objectId' -o tsv)" \
|
||||
"fpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_FP_CLIENT_ID'" --query '[].objectId' -o tsv)" \
|
||||
"devServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_CLIENT_ID'" --query '[].objectId' -o tsv)" \
|
||||
>/dev/null
|
||||
```
|
||||
|
||||
|
|
@ -239,6 +260,8 @@ locations.
|
|||
export AZURE_FP_CLIENT_ID='$AZURE_FP_CLIENT_ID'
|
||||
export AZURE_CLIENT_ID='$AZURE_CLIENT_ID'
|
||||
export AZURE_CLIENT_SECRET='$AZURE_CLIENT_SECRET'
|
||||
export AZURE_RP_CLIENT_ID='$AZURE_RP_CLIENT_ID'
|
||||
export AZURE_RP_CLIENT_SECRET='$AZURE_RP_CLIENT_SECRET'
|
||||
export RESOURCEGROUP="$RESOURCEGROUP_PREFIX-\$LOCATION"
|
||||
export PROXY_HOSTNAME="vm0.$PROXY_DOMAIN_NAME_LABEL.\$LOCATION.cloudapp.azure.com"
|
||||
export DATABASE_NAME="\$USER"
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ deploy_rp_dev_predeploy() {
|
|||
"adminObjectId=$ADMIN_OBJECT_ID" \
|
||||
"fpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_FP_CLIENT_ID'" --query '[].objectId' -o tsv)" \
|
||||
"keyvaultPrefix=$KEYVAULT_PREFIX" \
|
||||
"rpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_CLIENT_ID'" --query '[].objectId' -o tsv)" >/dev/null
|
||||
"rpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_RP_CLIENT_ID'" --query '[].objectId' -o tsv)" >/dev/null
|
||||
}
|
||||
|
||||
deploy_rp_dev() {
|
||||
|
|
@ -29,7 +29,7 @@ deploy_rp_dev() {
|
|||
"databaseAccountName=$COSMOSDB_ACCOUNT" \
|
||||
"domainName=$DOMAIN_NAME.$PARENT_DOMAIN_NAME" \
|
||||
"fpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_FP_CLIENT_ID'" --query '[].objectId' -o tsv)" \
|
||||
"rpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_CLIENT_ID'" --query '[].objectId' -o tsv)" >/dev/null
|
||||
"rpServicePrincipalId=$(az ad sp list --filter "appId eq '$AZURE_RP_CLIENT_ID'" --query '[].objectId' -o tsv)" >/dev/null
|
||||
}
|
||||
|
||||
deploy_env_dev() {
|
||||
|
|
@ -163,7 +163,7 @@ echo "COSMOSDB_ACCOUNT=$COSMOSDB_ACCOUNT"
|
|||
echo "DATABASE_NAME=$DATABASE_NAME"
|
||||
echo
|
||||
echo "ADMIN_OBJECT_ID=$ADMIN_OBJECT_ID"
|
||||
echo "AZURE_CLIENT_ID=$AZURE_CLIENT_ID"
|
||||
echo "AZURE_RP_CLIENT_ID=$AZURE_RP_CLIENT_ID"
|
||||
echo "AZURE_FP_CLIENT_ID=$AZURE_FP_CLIENT_ID"
|
||||
echo
|
||||
echo "DOMAIN_NAME=$DOMAIN_NAME"
|
||||
|
|
@ -185,6 +185,6 @@ echo "######################################"
|
|||
[ "$PARENT_DOMAIN_NAME" ] || ( echo ">> PARENT_DOMAIN_NAME is not set please validate your ./secrets/env"; exit 128 )
|
||||
[ "$AZURE_FP_CLIENT_ID" ] || ( echo ">> AZURE_FP_CLIENT_ID is not set please validate your ./secrets/env"; exit 128 )
|
||||
[ "$KEYVAULT_PREFIX" ] || ( echo ">> KEYVAULT_PREFIX is not set please validate your ./secrets/env"; exit 128 )
|
||||
[ "$AZURE_CLIENT_ID" ] || ( echo ">> AZURE_CLIENT_ID is not set please validate your ./secrets/env"; exit 128 )
|
||||
[ "$AZURE_RP_CLIENT_ID" ] || ( echo ">> AZURE_RP_CLIENT_ID is not set please validate your ./secrets/env"; exit 128 )
|
||||
[ "$PULL_SECRET" ] || ( echo ">> PULL_SECRET is not set please validate your ./secrets/env"; exit 128 )
|
||||
[ "$PARENT_DOMAIN_RESOURCEGROUP" ] || ( echo ">> PARENT_DOMAIN_RESOURCEGROUP is not set please validate your ./secrets/env"; exit 128 )
|
||||
|
|
|
|||
|
|
@ -129,7 +129,7 @@ func envDevelopmentJson() (*asset, error) {
|
|||
return a, nil
|
||||
}
|
||||
|
||||
var _rbacDevelopmentJson = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\x5b\x8f\xe2\x36\x14\x7e\xe7\x57\x58\x69\x25\x58\x89\x90\x0b\x97\x84\x79\x43\x5d\x4d\xb5\x0f\xbb\x8b\x86\x69\x5f\x10\x0f\x8e\x7d\xc2\x78\x9b\xd8\xd6\xb1\xc3\x68\xb6\xe2\xbf\x57\x49\xb8\x93\xd9\xb9\xa1\x76\x2a\x2d\xbc\x10\xfb\xf8\xf3\x77\xce\xf9\xf2\xd9\xfc\xdd\x22\x84\x10\xe7\x57\xc3\xee\x20\xa7\xce\x15\x71\xee\xac\xd5\xe6\xca\xf3\xea\x91\x5e\x4e\x25\x5d\x42\x0e\xd2\xf6\xe8\xf7\x02\xa1\xc7\x54\xbe\x99\x33\x5e\xe8\x07\x43\xd7\x0f\x5c\x3f\xf0\x38\xe8\x4c\x3d\x94\x71\xb7\x90\xeb\x8c\x5a\xe8\x7d\x33\x4a\xfe\xe2\x74\xeb\x1d\x98\x92\x16\xa4\xfd\x13\xd0\x08\x25\xcb\x8d\x82\x9e\x5f\x7e\xb7\x01\x9a\x22\xcd\xc1\x02\x1a\xe7\x8a\xd4\xb4\xaa\x71\x8a\xf9\x0c\x70\x25\x18\x4c\x51\x48\x26\x34\xcd\x3e\xf1\xa3\x90\x2a\xcc\x3e\x68\x28\x51\x8d\x45\x21\x97\xce\x6e\x72\xdd\xdd\x43\xa5\xfa\x4d\x48\xad\x03\x3c\x07\xc1\xa8\x02\x19\x94\x6c\xe7\xbb\x98\x13\x28\x49\xf3\x0a\x2a\x1a\x03\x1f\x44\x03\xea\x46\xe1\x28\x72\x07\x69\x1a\xbb\x49\x18\x8e\xdc\xf1\x28\x18\xf8\x09\xf8\xa3\x90\x86\x4e\xb7\x99\xc6\x67\xc1\x50\x19\x95\xda\xde\xa4\xb0\x77\x0a\xc5\x77\x6a\x85\x92\x1e\xaa\x0c\x3e\x42\x2a\xa4\x28\x1f\xcd\xe9\x72\x8d\x4a\x03\x5a\x01\xe6\x2c\xc3\x9a\xbf\xca\xe0\xcb\x86\xde\xe4\xe6\x2b\x59\x0d\xc8\x47\x58\x41\xa6\x74\xd9\x43\x72\x2d\xd0\x58\x32\xa5\x68\x1f\xc8\xac\x48\x0c\x43\xa1\xcb\x7d\x4e\xb6\xa9\xb7\x02\xcc\x85\x31\x15\x8b\xc3\x62\x1c\x7e\xce\x19\xec\x96\x53\x66\x7f\xb8\x74\x17\xb8\xaf\xc4\xcd\xb6\xf8\x9e\x39\xe0\x66\xbc\x6d\x53\x7e\x47\x55\x68\xe3\xdd\xa3\xb0\xe0\x3c\x0a\xba\x68\x9c\x59\x9f\x8d\x2e\x1a\x72\xa6\xc6\x88\xa5\xa4\x49\x06\x33\xa6\x34\x3c\xce\xde\x99\x1f\x52\xec\x7c\xe8\x09\xbe\x38\xa7\x74\x4c\x65\x7d\xd2\x4b\xaa\xc5\xc1\x7b\x13\xfa\x41\x5c\xbf\x74\xae\x46\x58\x09\xb8\x6f\x54\xfb\x23\x52\x4c\xfb\x29\x44\x09\x0b\x5c\x1f\xd2\xb1\x3b\x18\xc5\x81\x4b\x47\x31\x73\x59\x90\xd2\x30\x1e\xf2\x51\x10\xc6\xef\x4b\x8a\xb3\x22\x91\x60\xc9\x6f\x4a\x5a\x14\x49\x61\x15\xbe\x0f\x11\x7e\x01\x7b\xaf\xf0\x2f\x0f\x55\x61\xe1\xb6\x94\x82\xf1\xbe\x29\x21\xbd\x1a\xab\x81\xe4\x0b\x80\x10\x28\x7f\x1b\x42\x2d\xfe\x17\x43\xac\x04\xda\x82\x66\x9b\xc7\x37\x66\x74\x0a\xf6\xba\xac\x4e\x51\x4c\x25\x88\x0b\x53\xdb\x82\x5e\x96\xe2\x4f\x07\xda\x63\x6c\x1d\x68\xbe\x2c\x04\xef\x9c\x71\xea\x92\xf6\xf5\x94\x78\x64\xe3\x00\xd7\xd3\xa3\x73\xa7\xfd\x61\xf1\x1a\x57\x9a\x54\x45\x2a\x6d\xe4\xcc\x95\x38\x68\x90\xdc\x7c\x95\x8d\x85\x3b\x2e\xda\xf6\xbc\xf9\xc4\x3b\xed\x67\x9a\x60\xbb\x4b\xda\xcf\x39\xf6\xcb\xc4\x5a\x3f\xe8\xf5\x93\xee\x69\xca\xee\x57\x75\x6d\x68\x73\x83\x6e\x8e\x79\x56\x17\xa0\x7f\x35\xd9\x26\xef\x3e\xba\x8e\x39\xf3\xfd\x55\xb0\xd3\x6e\xba\xb3\x3d\x05\x73\xbb\x51\xc6\xe9\x4a\xe7\xc5\x1a\x1f\x5f\x5c\xe3\x93\x9b\xcf\xc4\x23\x7f\x18\x40\x32\x61\x0c\x8c\x21\x13\x9e\x0b\x29\x8c\x45\x6a\x15\x5e\x5e\xe7\xff\x17\xfd\x04\x31\x8f\x78\x1c\x73\x97\xf7\x87\xe0\x0e\xd2\x64\xe8\xd2\x21\xeb\xbb\x51\x14\xf5\x59\xe8\xd3\x28\xe4\xe3\x57\xe8\xa7\xf1\xef\xc3\x7f\x2e\xa0\xea\xd7\xa2\xb5\x6e\xfd\x13\x00\x00\xff\xff\xa4\xf6\x09\x01\x80\x0d\x00\x00")
|
||||
var _rbacDevelopmentJson = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\x57\x5d\x4f\xe3\x38\x14\x7d\xef\xaf\xb0\xb2\x2b\x95\x91\xea\x26\x71\xd3\x24\xe5\xad\x5a\xc4\x6a\x1e\x66\x06\x01\xbb\x2f\xa8\x0f\x8e\x7d\x03\x9e\x4d\x6c\xcb\x76\x8a\x98\x15\xff\x7d\x95\xa4\xdf\x0d\x33\xd0\xa9\x46\xa0\x05\x5e\x1a\xfb\xfa\xf8\xdc\xeb\x93\xe3\x9b\x7f\x7b\x08\x21\xe4\xfd\x6e\xd9\x1d\x94\xd4\x3b\x45\xde\x9d\x73\xda\x9e\xfa\x7e\x3b\x32\x2c\xa9\xa4\xb7\x50\x82\x74\x43\xfa\xad\x32\x30\x64\xaa\x5c\xcc\x59\x9f\x04\xe1\x18\x07\x21\x0e\x42\x9f\x83\x2e\xd4\x43\x1d\x77\x0d\xa5\x2e\xa8\x83\xe1\x57\xab\xe4\x6f\xde\xa0\xdd\x81\x29\xe9\x40\xba\xbf\xc1\x58\xa1\x64\xbd\x51\x38\x0c\xea\xff\x65\x80\xa6\x86\x96\xe0\xc0\x58\xef\x14\xb5\xb4\x9a\x71\x6a\xca\x2b\x30\x73\xc1\xe0\xc2\x08\xc9\x84\xa6\xc5\x47\xbe\x15\xd2\x84\xb9\x07\x0d\x35\xaa\x75\x46\xc8\x5b\x6f\x35\xf9\x38\x58\x43\xe5\xfa\x58\x48\x1c\xe6\x5d\x50\xcf\x45\xea\x6d\xe0\x79\x06\xac\xaa\x0c\x83\x3a\xef\x9b\x55\xcc\x0e\x94\xa4\x65\x03\x95\x4c\x80\x47\x49\x44\x71\x42\xe2\x04\x47\x79\x9e\xe2\x8c\x90\x18\x4f\xe2\x30\x0a\x32\x08\x62\x42\x89\x37\xe8\xa6\xf1\x49\x30\xa3\xac\xca\xdd\x70\x5a\xb9\x3b\x65\xc4\x37\xea\x84\x92\xbe\x51\x05\x9c\x41\x2e\xa4\xa8\x1f\xed\xee\x72\x6d\x94\x06\xe3\x04\xd8\xbd\x5a\xb5\xfc\x55\x01\x9f\x17\xf4\xa6\x97\x5f\xd0\x3c\x42\x67\x30\x87\x42\xe9\x5a\x0d\xe8\x5c\x18\xeb\xd0\x05\x35\xee\x01\x5d\x55\x99\x65\x46\xe8\x7a\x9f\x9d\x6d\xda\xad\xc0\x94\xc2\xda\x86\xc5\x66\x31\x36\xff\xf6\x19\xac\x96\x53\xe6\xbe\xbb\x74\x15\xb8\xae\xc4\xe5\xb2\xf8\xbe\xdd\xe0\x66\xfd\xe5\xa1\xfc\x69\x54\xa5\xad\x7f\x6f\x84\x03\xef\x49\xd0\x59\xe7\xcc\xe3\xde\xe8\xac\x23\x67\x6a\xad\xb8\x95\x34\x2b\xe0\x8a\x29\x0d\x4f\xb3\xf7\x6e\x36\x29\x9e\x7c\x18\x0a\x3e\xdb\xa7\xb4\x4d\xe5\x71\xe7\x2c\xa9\x16\x1b\x6f\x20\x09\xc2\xb4\x7d\x7d\xb1\x36\x30\x17\x70\xdf\xa9\xf6\x27\xa4\x98\x8f\x72\x48\x32\x16\xe2\x00\xf2\x09\x8e\xe2\x34\xc4\x34\x4e\x19\x66\x61\x4e\x49\x3a\xe6\x71\x48\xd2\xd7\x25\xc5\xab\x2a\x93\xe0\xd0\x1f\x4a\x3a\x23\xb2\xca\x29\xf3\x3a\x44\xf8\x19\xdc\xbd\x32\xff\xf8\x46\x55\x0e\xae\x6b\x29\x58\xff\xab\x12\xd2\x6f\xb1\x3a\x48\xbe\x00\xc8\x00\xe5\x3f\x87\xd0\x8a\xff\xc5\x10\x73\x61\x5c\x45\x8b\xc5\xe3\x4f\x66\xb4\x0b\x76\x58\x56\xbb\x28\xb6\x11\xc4\x91\xa9\x2d\x41\x8f\x4b\xf1\xdd\x81\xd6\x18\x4b\x07\xba\xb9\xad\x04\x3f\xd9\xe3\x34\x40\xfd\xf3\x0b\xe4\xa3\x85\x03\x9c\x5f\x6c\xdd\x3b\xfd\x0f\xb3\x43\x5c\x69\xda\x14\xa9\xb6\x91\x3d\x57\xe2\xa0\x41\x72\xfb\x45\x76\x16\x6e\xbb\x68\xcb\xfb\xe6\x23\x3f\xe9\x3f\xd3\x04\xfb\x03\xd4\x7f\xce\xb5\x5f\x27\xd6\xfb\xce\x59\xff\xd0\x3d\x6d\x7d\xfa\x4d\x5d\x3b\x8e\xb9\x43\x37\xdb\x3c\x9b\x56\xea\x97\x26\xdb\xe5\xdd\x5b\x8d\x9d\x77\xb3\x6e\x2a\x4f\xfa\x5d\xdd\xdf\x8f\x60\xae\x17\xca\xd8\x5d\xe9\xbd\x58\xe3\x93\xa3\x6b\x7c\x7a\xf9\x09\xf9\xe8\x2f\x0b\x06\x4d\x19\x03\x6b\xd1\x94\x97\x42\x0a\xeb\x0c\x75\xca\x1c\x5f\xe7\x6f\x45\x3f\x61\xca\x13\x9e\xa6\x1c\xf3\xd1\x18\x70\x94\x67\x63\x4c\xc7\x6c\x84\x93\x24\x19\x31\x12\xd0\x84\xf0\xc9\x01\xfa\xe9\xfc\x10\x79\xcb\x02\x3a\x83\x39\xf2\x37\xbb\xa1\xff\xaf\x64\x32\x12\x4d\xd2\x94\x32\x1c\x87\x69\x80\x23\x42\x03\x4c\xb3\x34\xc5\x24\xc8\x93\x51\x4a\x38\x27\x11\x3b\x40\x32\x9d\x9f\x89\x6f\x5f\x32\xef\x9e\xf3\xab\x3c\xe7\x75\x0a\xa8\xf9\x35\xeb\x3d\xf6\xfe\x0b\x00\x00\xff\xff\x7a\xba\x5c\xc9\x3e\x12\x00\x00")
|
||||
|
||||
func rbacDevelopmentJsonBytes() ([]byte, error) {
|
||||
return bindataRead(
|
||||
|
|
|
|||
|
|
@ -63,6 +63,8 @@ type dev struct {
|
|||
|
||||
func newDev(ctx context.Context, log *logrus.Entry, instancemetadata instancemetadata.InstanceMetadata) (*dev, error) {
|
||||
for _, key := range []string{
|
||||
"AZURE_RP_CLIENT_ID",
|
||||
"AZURE_RP_CLIENT_SECRET",
|
||||
"AZURE_ARM_CLIENT_ID",
|
||||
"AZURE_ARM_CLIENT_SECRET",
|
||||
"AZURE_FP_CLIENT_ID",
|
||||
|
|
@ -87,7 +89,19 @@ func newDev(ctx context.Context, log *logrus.Entry, instancemetadata instancemet
|
|||
roleassignments: authorization.NewRoleAssignmentsClient(instancemetadata.SubscriptionID(), armAuthorizer),
|
||||
}
|
||||
|
||||
d.prod, err = newProd(ctx, log, instancemetadata)
|
||||
config := auth.NewClientCredentialsConfig(os.Getenv("AZURE_RP_CLIENT_ID"), os.Getenv("AZURE_RP_CLIENT_SECRET"), os.Getenv("AZURE_TENANT_ID"))
|
||||
config.Resource = azure.PublicCloud.ResourceIdentifiers.KeyVault
|
||||
kvAuthorizer, err := config.Authorizer()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
rpAuthorizer, err := auth.NewClientCredentialsConfig(os.Getenv("AZURE_RP_CLIENT_ID"), os.Getenv("AZURE_RP_CLIENT_SECRET"), os.Getenv("AZURE_TENANT_ID")).Authorizer()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
d.prod, err = newProd(ctx, log, instancemetadata, rpAuthorizer, kvAuthorizer)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ import (
|
|||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/Azure/go-autorest/autorest/azure"
|
||||
"github.com/Azure/go-autorest/autorest/azure/auth"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/Azure/ARO-RP/pkg/util/clientauthorizer"
|
||||
|
|
@ -72,5 +74,15 @@ func NewEnv(ctx context.Context, log *logrus.Entry) (Interface, error) {
|
|||
return newInt(ctx, log, im)
|
||||
}
|
||||
|
||||
return newProd(ctx, log, im)
|
||||
kvAuthorizer, err := auth.NewAuthorizerFromEnvironmentWithResource(azure.PublicCloud.ResourceIdentifiers.KeyVault)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
rpAuthorizer, err := auth.NewAuthorizerFromEnvironment()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return newProd(ctx, log, im, rpAuthorizer, kvAuthorizer)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,13 +6,25 @@ package env
|
|||
import (
|
||||
"context"
|
||||
|
||||
"github.com/Azure/go-autorest/autorest/azure"
|
||||
"github.com/Azure/go-autorest/autorest/azure/auth"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/Azure/ARO-RP/pkg/util/instancemetadata"
|
||||
)
|
||||
|
||||
func newInt(ctx context.Context, log *logrus.Entry, instancemetadata instancemetadata.InstanceMetadata) (*prod, error) {
|
||||
p, err := newProd(ctx, log, instancemetadata)
|
||||
kvAuthorizer, err := auth.NewAuthorizerFromEnvironmentWithResource(azure.PublicCloud.ResourceIdentifiers.KeyVault)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
rpAuthorizer, err := auth.NewAuthorizerFromEnvironment()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
p, err := newProd(ctx, log, instancemetadata, rpAuthorizer, kvAuthorizer)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ import (
|
|||
"github.com/Azure/go-autorest/autorest"
|
||||
"github.com/Azure/go-autorest/autorest/adal"
|
||||
"github.com/Azure/go-autorest/autorest/azure"
|
||||
"github.com/Azure/go-autorest/autorest/azure/auth"
|
||||
"github.com/sirupsen/logrus"
|
||||
|
||||
"github.com/Azure/ARO-RP/pkg/deploy/generator"
|
||||
|
|
@ -63,12 +62,7 @@ type prod struct {
|
|||
log *logrus.Entry
|
||||
}
|
||||
|
||||
func newProd(ctx context.Context, log *logrus.Entry, instancemetadata instancemetadata.InstanceMetadata) (*prod, error) {
|
||||
kvAuthorizer, err := auth.NewAuthorizerFromEnvironmentWithResource(azure.PublicCloud.ResourceIdentifiers.KeyVault)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func newProd(ctx context.Context, log *logrus.Entry, instancemetadata instancemetadata.InstanceMetadata, rpAuthorizer, kvAuthorizer autorest.Authorizer) (*prod, error) {
|
||||
p := &prod{
|
||||
InstanceMetadata: instancemetadata,
|
||||
|
||||
|
|
@ -80,12 +74,7 @@ func newProd(ctx context.Context, log *logrus.Entry, instancemetadata instanceme
|
|||
log: log,
|
||||
}
|
||||
|
||||
rpAuthorizer, err := auth.NewAuthorizerFromEnvironment()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = p.populateCosmosDB(ctx, rpAuthorizer)
|
||||
err := p.populateCosmosDB(ctx, rpAuthorizer)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче