updating scripts and charts

These are probably broken now.  need to be tested.

.github/workflows/ci.yml

@@ -38,8 +38,8 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - run: brew install FairwindsOps/tap/pluto
-      ###- run: helm template ./charts/msal-proxy --api-versions v1.13.0 | pluto detect -
-      - run: pluto detect-files -d ./charts/msal-proxy
+      ###- run: helm template ./charts/easyauth-proxy --api-versions v1.13.0 | pluto detect -
+      - run: pluto detect-files -d ./charts/easyauth-proxy
       - run: pluto detect-files -d ./
       
   push_to_registries:

.github/workflows/pluto.yml

@@ -16,6 +16,6 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - run: brew install FairwindsOps/tap/pluto
-      - run: helm template ./charts/msal-proxy --api-versions v1.16.0 | pluto detect -
+      - run: helm template ./charts/easyauth-proxy --api-versions v1.16.0 | pluto detect -
       
       #pluto detect-files -d ./

AutomationScripts/3-registerAADApp.sh

@@ -48,7 +48,10 @@ n=50
 while [ -z "$CLIENT_SECRET" ]
 do
   CLIENT_SECRET=$(az ad app credential reset --id $CLIENT_ID -o json | jq '.password' -r)
-  echo "CLIENT_SECRET: " $CLIENT_SECRET
+  echo "***********************IMPORTANT**************************** "
+  echo "* Make note of the secret below.  It will not be shown again"
+  echo "* CLIENT_SECRET: " $CLIENT_SECRET
+  echo "***********************IMPORTANT****************************"
   if [ "$n" == "0" ]; then
     echo "ERROR. INFINITE LOOP in 3-registerAADApp.sh."
     exit 1

AutomationScripts/4-deployMSALProxy.sh

@@ -9,7 +9,7 @@ echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
 echo "BEGIN @ $(date +"%T"): Calling Helm..."
 echo ""
 
-helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
+helm install --set azureAd.tenantId=$AZURE_TENANT_ID --set azureAd.clientId=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET easyauth-proxy ./charts/easyauth-proxy
 
 echo ""
 echo "COMPLETE @ $(date +"%T"): Calling Helm"

TemplateFiles/kuard-ingress.yaml

@@ -3,8 +3,8 @@ kind: Ingress
 metadata:
   name: kuard-ingress
   annotations:
-    nginx.ingress.kubernetes.io/auth-url: "https://$host/msal/auth"
-    nginx.ingress.kubernetes.io/auth-signin: "https://$host/msal/index?rd=$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-url: "https://$host/easyauth/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://$host/easyauth/login"
     nginx.ingress.kubernetes.io/auth-response-headers: "x-injected-aio,x-injected-name,x-injected-nameidentifier,x-injected-objectidentifier,x-injected-preferred_username,x-injected-tenantid,x-injected-uti"
     cert-manager.io/cluster-issuer: letsencrypt-prod
     nginx.ingress.kubernetes.io/rewrite-target: /$1
@@ -30,7 +30,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: msal-proxy
+  name: easyauth-proxy
   annotations:
     kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: letsencrypt-prod
@@ -48,7 +48,7 @@ spec:
         pathType: Prefix
         backend:
           service:
-            name: msal-proxy
+            name: easyauth-proxy
             port:
               number: 80
   tls:

charts/msal-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: msal-proxy
+name: easyauth-proxy
 description: A Helm chart for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.

charts/msal-proxy/templates/NOTES.txt

@@ -6,16 +6,16 @@
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "msal-proxy.fullname" . }})
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "easyauth-proxy.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "msal-proxy.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "msal-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "easyauth-proxy.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "easyauth-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
   echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "msal-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "easyauth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
 {{- end }}

charts/msal-proxy/templates/_helpers.tpl

@@ -2,7 +2,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "msal-proxy.name" -}}
+{{- define "easyauth-proxy.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -11,7 +11,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "msal-proxy.fullname" -}}
+{{- define "easyauth-proxy.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -27,16 +27,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "msal-proxy.chart" -}}
+{{- define "easyauth-proxy.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "msal-proxy.labels" -}}
-helm.sh/chart: {{ include "msal-proxy.chart" . }}
-{{ include "msal-proxy.selectorLabels" . }}
+{{- define "easyauth-proxy.labels" -}}
+helm.sh/chart: {{ include "easyauth-proxy.chart" . }}
+{{ include "easyauth-proxy.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -46,17 +46,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "msal-proxy.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "msal-proxy.name" . }}
+{{- define "easyauth-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "easyauth-proxy.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "msal-proxy.serviceAccountName" -}}
+{{- define "easyauth-proxy.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "msal-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "easyauth-proxy.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

charts/msal-proxy/templates/deployment.yaml

@@ -1,16 +1,16 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "msal-proxy.fullname" . }}
+  name: {{ include "easyauth-proxy.fullname" . }}
   labels:
-    {{- include "msal-proxy.labels" . | nindent 4 }}
+    {{- include "easyauth-proxy.labels" . | nindent 4 }}
 spec:
 {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
 {{- end }}
   selector:
     matchLabels:
-      {{- include "msal-proxy.selectorLabels" . | nindent 6 }}
+      {{- include "easyauth-proxy.selectorLabels" . | nindent 6 }}
   template:
     metadata:
     {{- with .Values.podAnnotations }}
@@ -18,13 +18,13 @@ spec:
         {{- toYaml . | nindent 8 }}
     {{- end }}
       labels:
-        {{- include "msal-proxy.selectorLabels" . | nindent 8 }}
+        {{- include "easyauth-proxy.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "msal-proxy.serviceAccountName" . }}
+      serviceAccountName: {{ include "easyauth-proxy.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       volumes:
@@ -51,46 +51,46 @@ spec:
               port: http
           env:
              -  name: Logging__LogLevel__Default
-                value: {{ .Values.env.LogLevel }}
-             -  name: ForceHttps
-                value: "{{ .Values.env.ForceHttps }}"
+                value: {{ .Values.logging.logLevel }}
              -  name: EasyAuthForK8s__DataProtectionFileLocation
-                value: {{ .Values.env.EasyAuthForK8sSigninPath }}                
+                value: {{ .Values.easyAuthForK8s.dataProtectionFileLocation }}                
              -  name: EasyAuthForK8s__SigninPath
-                value: "{{ .Values.env.EasyAuthForK8sSigninPath }}"
+                value: "{{ .Values.easyAuthForK8s.signinPath }}"
              -  name: EasyAuthForK8s__AuthPath
-                value: {{ .Values.env.EasyAuthForK8sAuthPath }}
+                value: {{ .Values.easyAuthForK8s.authPath }}
              -  name: EasyAuthForK8s__AllowBearerToken
-                value: "{{ .Values.env.EasyAuthForK8sAllowBearerToken }}"
+                value: "{{ .Values.easyAuthForK8s.allowBearerToken }}"
              -  name: EasyAuthForK8s__DefaultRedirectAfterSignin
-                value: "{{ .Values.env.EasyAuthForK8sDefaultRedirectAfterSignin }}"                
+                value: "{{ .Values.easyAuthForK8s.defaultRedirectAfterSignin }}"
+                name: EasyAuthForK8s__CompressCookieClaims
+                value: "{{ .Values.easyAuthForK8s.compressCookieClaims }}"
+             -  name: EasyAuthForK8s__ResponseHeaderPrefix
+                value: {{ .Values.easyAuthForK8s.responseHeaderPrefix }}
+             -  name: EasyAuthForK8s__ClaimEncodingMethod
+                value: "{{ .Values.easyAuthForK8s.claimEncodingMethod }}"
+             -  name: EasyAuthForK8s__HeaderFormatOption
+                value: "{{ .Values.easyAuthForK8s.headerFormatOption }}"                  
              -  name: AzureAd__Instance
-                value: {{ .Values.env.AzureAdInstance }}
+                value: {{ .Values.azureAd.instance }}
              -  name: AzureAd__Domain
-                value: {{ .Values.env.AzureAdDomain }}
-             -  name: AzureAd__CallbackPath
-                value: {{ .Values.env.AzureAdCallbackPath }}
-             -  name: AzureAd__SignedOutCallbackPath
-                value: {{ .Values.env.AzureAdSignedOutCallbackPath }}      
-             -  name: AzureAd__SignUpSignInPolicyId
-                value: {{ .Values.env.AzureAdSignUpSignInPolicyId }}                            
+                value: {{ .Values.azureAd.domain }}
              -  name: AzureAd__TenantId
-                valueFrom:
-                  secretKeyRef:
-                    name: {{ .Values.env.AzureAdTenantIdKeyRefName }}
-                    key: {{ .Values.env.AzureAdTenantIdKeyRefKey }}
+                value: {{ .Values.azureAd.tenantId }}
              -  name: AzureAd__ClientId
-                valueFrom:
-                  secretKeyRef:
-                    name: {{ .Values.env.AzureAdClientIdKeyRefName }}
-                    key: {{ .Values.env.AzureAdClientIdKeyRefKey }}
+                value: {{ .Values.azureAd.clientId }}
+             -  name: AzureAd__CallbackPath
+                value: {{ .Values.azureAd.callbackPath }}
+             -  name: AzureAd__SignedOutCallbackPath
+                value: {{ .Values.azureAd.signedOutCallbackPath }}      
+             -  name: AzureAd__SignUpSignInPolicyId
+                value: {{ .Values.azureAd.signUpSignInPolicyId }}                            
              -  name: AzureAd__ClientSecret
                 valueFrom:
                   secretKeyRef:
                     name: {{ .Values.env.AzureAdClientSecretKeyRefName }}
                     key: {{ .Values.env.AzureAdClientSecretKeyRefKey }}
           volumeMounts:
-          - mountPath: {{ .Values.env.DataProtectionFileLocation }}
+          - mountPath: {{ .Values.easyAuthForK8s.dataProtectionFileLocation }}
             name: {{ .Values.volumeName }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/msal-proxy/templates/hpa.yaml

@@ -2,14 +2,14 @@
 apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
-  name: {{ include "msal-proxy.fullname" . }}
+  name: {{ include "easyauth-proxy.fullname" . }}
   labels:
-    {{- include "msal-proxy.labels" . | nindent 4 }}
+    {{- include "easyauth-proxy.labels" . | nindent 4 }}
 spec:
   scaleTargetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: {{ include "msal-proxy.fullname" . }}
+    name: {{ include "easyauth-proxy.fullname" . }}
   minReplicas: {{ .Values.autoscaling.minReplicas }}
   maxReplicas: {{ .Values.autoscaling.maxReplicas }}
   metrics:

charts/msal-proxy/templates/ingress.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.ingress.enabled -}}
-{{- $fullName := include "msal-proxy.fullname" . -}}
+{{- $fullName := include "easyauth-proxy.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
@@ -10,7 +10,7 @@ kind: Ingress
 metadata:
   name: {{ $fullName }}
   labels:
-    {{- include "msal-proxy.labels" . | nindent 4 }}
+    {{- include "easyauth-proxy.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/msal-proxy/templates/service.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "msal-proxy.fullname" . }}
+  name: {{ include "easyauth-proxy.fullname" . }}
   labels:
-    {{- include "msal-proxy.labels" . | nindent 4 }}
+    {{- include "easyauth-proxy.labels" . | nindent 4 }}
 spec:
   type: {{ .Values.service.type }}
   ports:
@@ -12,4 +12,4 @@ spec:
       protocol: TCP
       name: http
   selector:
-    {{- include "msal-proxy.selectorLabels" . | nindent 4 }}
+    {{- include "easyauth-proxy.selectorLabels" . | nindent 4 }}

charts/msal-proxy/templates/serviceaccount.yaml

@@ -2,9 +2,9 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "msal-proxy.serviceAccountName" . }}
+  name: {{ include "easyauth-proxy.serviceAccountName" . }}
   labels:
-    {{- include "msal-proxy.labels" . | nindent 4 }}
+    {{- include "easyauth-proxy.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}

charts/msal-proxy/templates/tests/test-connection.yaml

@@ -1,9 +1,9 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: "{{ include "msal-proxy.fullname" . }}-test-connection"
+  name: "{{ include "easyauth-proxy.fullname" . }}-test-connection"
   labels:
-    {{- include "msal-proxy.labels" . | nindent 4 }}
+    {{- include "easyauth-proxy.labels" . | nindent 4 }}
   annotations:
     "helm.sh/hook": test-success
 spec:
@@ -11,5 +11,5 @@ spec:
     - name: wget
       image: busybox
       command: ['wget']
-      args: ['{{ include "msal-proxy.fullname" . }}:{{ .Values.service.port }}']
+      args: ['{{ include "easyauth-proxy.fullname" . }}:{{ .Values.service.port }}']
   restartPolicy: Never

charts/msal-proxy/values.yaml

@@ -1,4 +1,4 @@
-# Default values for msal-proxy.
+# Default values for easyauth-proxy.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
@@ -46,13 +46,13 @@ ingress:
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
   hosts: []
-#    - host: thfalgou-msal-proxy.southcentralus.cloudapp.azure.com
+#    - host: thfalgou-easyauth-proxy.southcentralus.cloudapp.azure.com
 #      paths:
 #        - /msal
   tls: []
 #    - secretName: ingress-tls-prod
 #      hosts:
-#        - thfalgou-msal-proxy.southcentralus.cloudapp.azure.com 
+#        - thfalgou-easyauth-proxy.southcentralus.cloudapp.azure.com 
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -85,6 +85,55 @@ tolerations: []
 
 affinity: {}
 
+
+logging:
+  logLevel: Information
+
+azureAd: 
+  instance: "https://login.microsoftonline.com/"
+  # domain is not required.  including one will set the 
+  # "domain hint" during login, that makes it a little easier
+  # for users to choose the right login account
+  domain: ""
+  # the Azure AD tenant that thould be used
+  tenantId: ""
+  # app Id of the service principal.
+  clientId: ""
+  # there's no reason to change these unless there is a conflict
+  # such as another easyauth proxy using the same host name
+  callbackPath: "/easyauth/signin-oidc"
+  signedOutCallbackPath : "/easyauth/signout-callback-oidc"
+  # Leave this blank if not B2C
+  signUpSignInPolicyId: ""
+  clientSecretKeyRefName: aad-secret
+  clientSecretKeyRefKey: CLIENT_SECRET
+
+  easyAuthForK8s: 
+    # data protection key ring location
+    dataProtectionFileLocation: "/mnt/dp"
+    # there's no reason to change these unless there is a conflict
+    # such as another easyauth proxy using the same host name
+    signinPath: "/easyauth/login"
+    authPath: "/easyauth/auth"
+    # use bearer token as a fall back for cookies
+    # normally for API web applications only
+    allowBearerToken: "false"
+    # fallback path to redirect user after signin if
+    # prior page url cannot be determined
+    defaultRedirectAfterSignin: "/"
+    # Make the cookie payload as small as possible to avoid having to 
+    # increase the allowed nginx header size.  
+    compressCookieClaims: "true",
+    # All informational headers sent to the backend will be prefixed with:
+    responseHeaderPrefix: "x-injected-"
+    # encoding method used for headers extracted from claims
+    # valid values are UrlEncode, Base64, None and NoneWithReject
+    claimEncodingMethod: "UrlEncode"
+    # how to send the headers
+    # Separate = a separate header for each claim
+    # Combined = a single header with a JSON object containing all claims
+    headerFormatOption: "Separate"
+
 env:
   ForceHttps: "true"
   LogLevel: Debug

docs/securing-k8s-dashboard.md

@@ -22,7 +22,7 @@ Each Ingress resource to authenticate requires a FQDN and SSL.  For the setup-in
 
 ```
 # Delete the existing ingress rules
-kubectl delete ingress kuard msal-proxy
+kubectl delete ingress kuard easyauth-proxy
 
 # Ensure the required envirionment variables are set:
 echo $APP_HOSTNAME
@@ -59,14 +59,14 @@ spec:
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
-  name: msal-proxy
+  name: easyauth-proxy
 spec:
   rules:
   - host: $APP_HOSTNAME
     http:
       paths:
       - backend:
-          serviceName: msal-proxy
+          serviceName: easyauth-proxy
           servicePort: 80
         path: /msal
   tls:

docs/setup-instructions.md

@@ -187,7 +187,7 @@ echo $CLIENT_SECRET
 ```
 
 # Go to the root of the repo before running this command
-helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
+helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET easyauth-proxy ./charts/easyauth-proxy
 
 # Confirm everything was deployed.
 kubectl get svc,deploy,pod
@@ -302,7 +302,7 @@ spec:
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: msal-proxy
+  name: easyauth-proxy
   annotations:
     kubernetes.io/ingress.class: nginx
     cert-manager.io/cluster-issuer: letsencrypt-prod
@@ -315,7 +315,7 @@ spec:
         pathType: Prefix
         backend:
           service:
-            name: msal-proxy
+            name: easyauth-proxy
             port:
               number: 80
   tls:
@@ -357,7 +357,7 @@ It should look something like this:
     az ad app delete --id $CLIENT_ID
     helm delete nginx-ingress --purge
     helm delete cert-manager --purge
-    helm delete msal-proxy --purge
+    helm delete easyauth-proxy --purge
     kubectl delete secret ingress-tls-prod
     kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml
     kubectl delete ns cert-manager