From 0064a9b130d0e52b917addffa9b10ff9ce19fad3 Mon Sep 17 00:00:00 2001 From: Jon Lester Date: Fri, 19 Nov 2021 13:37:03 -0500 Subject: [PATCH] updating scripts and charts These are probably broken now. need to be tested. --- .github/workflows/ci.yml | 4 +- .github/workflows/pluto.yml | 2 +- AutomationScripts/3-registerAADApp.sh | 5 +- AutomationScripts/4-deployMSALProxy.sh | 2 +- TemplateFiles/kuard-ingress.yaml | 8 +-- charts/msal-proxy/Chart.yaml | 2 +- charts/msal-proxy/templates/NOTES.txt | 8 +-- charts/msal-proxy/templates/_helpers.tpl | 20 +++---- charts/msal-proxy/templates/deployment.yaml | 60 +++++++++---------- charts/msal-proxy/templates/hpa.yaml | 6 +- charts/msal-proxy/templates/ingress.yaml | 4 +- charts/msal-proxy/templates/service.yaml | 6 +- .../msal-proxy/templates/serviceaccount.yaml | 4 +- .../templates/tests/test-connection.yaml | 6 +- charts/msal-proxy/values.yaml | 55 ++++++++++++++++- docs/securing-k8s-dashboard.md | 6 +- docs/setup-instructions.md | 8 +-- 17 files changed, 129 insertions(+), 77 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 226cc79..1303d4a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,8 +38,8 @@ jobs: steps: - uses: actions/checkout@v2 - run: brew install FairwindsOps/tap/pluto - ###- run: helm template ./charts/msal-proxy --api-versions v1.13.0 | pluto detect - - - run: pluto detect-files -d ./charts/msal-proxy + ###- run: helm template ./charts/easyauth-proxy --api-versions v1.13.0 | pluto detect - + - run: pluto detect-files -d ./charts/easyauth-proxy - run: pluto detect-files -d ./ push_to_registries: diff --git a/.github/workflows/pluto.yml b/.github/workflows/pluto.yml index 475bcf5..e37a034 100644 --- a/.github/workflows/pluto.yml +++ b/.github/workflows/pluto.yml @@ -16,6 +16,6 @@ jobs: steps: - uses: actions/checkout@v2 - run: brew install FairwindsOps/tap/pluto - - run: helm template ./charts/msal-proxy --api-versions v1.16.0 | pluto detect - + - run: helm template ./charts/easyauth-proxy --api-versions v1.16.0 | pluto detect - #pluto detect-files -d ./ diff --git a/AutomationScripts/3-registerAADApp.sh b/AutomationScripts/3-registerAADApp.sh index 07b042e..e055a9b 100644 --- a/AutomationScripts/3-registerAADApp.sh +++ b/AutomationScripts/3-registerAADApp.sh @@ -48,7 +48,10 @@ n=50 while [ -z "$CLIENT_SECRET" ] do CLIENT_SECRET=$(az ad app credential reset --id $CLIENT_ID -o json | jq '.password' -r) - echo "CLIENT_SECRET: " $CLIENT_SECRET + echo "***********************IMPORTANT**************************** " + echo "* Make note of the secret below. It will not be shown again" + echo "* CLIENT_SECRET: " $CLIENT_SECRET + echo "***********************IMPORTANT****************************" if [ "$n" == "0" ]; then echo "ERROR. INFINITE LOOP in 3-registerAADApp.sh." exit 1 diff --git a/AutomationScripts/4-deployMSALProxy.sh b/AutomationScripts/4-deployMSALProxy.sh index 3d0db0a..0fe4d53 100644 --- a/AutomationScripts/4-deployMSALProxy.sh +++ b/AutomationScripts/4-deployMSALProxy.sh @@ -9,7 +9,7 @@ echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..." echo "BEGIN @ $(date +"%T"): Calling Helm..." echo "" -helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy +helm install --set azureAd.tenantId=$AZURE_TENANT_ID --set azureAd.clientId=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET easyauth-proxy ./charts/easyauth-proxy echo "" echo "COMPLETE @ $(date +"%T"): Calling Helm" diff --git a/TemplateFiles/kuard-ingress.yaml b/TemplateFiles/kuard-ingress.yaml index 5db2caf..8d4c1da 100644 --- a/TemplateFiles/kuard-ingress.yaml +++ b/TemplateFiles/kuard-ingress.yaml @@ -3,8 +3,8 @@ kind: Ingress metadata: name: kuard-ingress annotations: - nginx.ingress.kubernetes.io/auth-url: "https://$host/msal/auth" - nginx.ingress.kubernetes.io/auth-signin: "https://$host/msal/index?rd=$escaped_request_uri" + nginx.ingress.kubernetes.io/auth-url: "https://$host/easyauth/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/easyauth/login" nginx.ingress.kubernetes.io/auth-response-headers: "x-injected-aio,x-injected-name,x-injected-nameidentifier,x-injected-objectidentifier,x-injected-preferred_username,x-injected-tenantid,x-injected-uti" cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/rewrite-target: /$1 @@ -30,7 +30,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: msal-proxy + name: easyauth-proxy annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod @@ -48,7 +48,7 @@ spec: pathType: Prefix backend: service: - name: msal-proxy + name: easyauth-proxy port: number: 80 tls: diff --git a/charts/msal-proxy/Chart.yaml b/charts/msal-proxy/Chart.yaml index 3b0a858..1ff4544 100644 --- a/charts/msal-proxy/Chart.yaml +++ b/charts/msal-proxy/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: msal-proxy +name: easyauth-proxy description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. diff --git a/charts/msal-proxy/templates/NOTES.txt b/charts/msal-proxy/templates/NOTES.txt index b0fb11f..577c6fb 100644 --- a/charts/msal-proxy/templates/NOTES.txt +++ b/charts/msal-proxy/templates/NOTES.txt @@ -6,16 +6,16 @@ {{- end }} {{- end }} {{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "msal-proxy.fullname" . }}) + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "easyauth-proxy.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") echo http://$NODE_IP:$NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "msal-proxy.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "msal-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "easyauth-proxy.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "easyauth-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") echo http://$SERVICE_IP:{{ .Values.service.port }} {{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "msal-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "easyauth-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80 {{- end }} diff --git a/charts/msal-proxy/templates/_helpers.tpl b/charts/msal-proxy/templates/_helpers.tpl index 59d3bbc..ab78d32 100644 --- a/charts/msal-proxy/templates/_helpers.tpl +++ b/charts/msal-proxy/templates/_helpers.tpl @@ -2,7 +2,7 @@ {{/* Expand the name of the chart. */}} -{{- define "msal-proxy.name" -}} +{{- define "easyauth-proxy.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -11,7 +11,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "msal-proxy.fullname" -}} +{{- define "easyauth-proxy.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -27,16 +27,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "msal-proxy.chart" -}} +{{- define "easyauth-proxy.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "msal-proxy.labels" -}} -helm.sh/chart: {{ include "msal-proxy.chart" . }} -{{ include "msal-proxy.selectorLabels" . }} +{{- define "easyauth-proxy.labels" -}} +helm.sh/chart: {{ include "easyauth-proxy.chart" . }} +{{ include "easyauth-proxy.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -46,17 +46,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "msal-proxy.selectorLabels" -}} -app.kubernetes.io/name: {{ include "msal-proxy.name" . }} +{{- define "easyauth-proxy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "easyauth-proxy.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "msal-proxy.serviceAccountName" -}} +{{- define "easyauth-proxy.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "msal-proxy.fullname" .) .Values.serviceAccount.name }} +{{- default (include "easyauth-proxy.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} diff --git a/charts/msal-proxy/templates/deployment.yaml b/charts/msal-proxy/templates/deployment.yaml index 5131dda..c453cef 100644 --- a/charts/msal-proxy/templates/deployment.yaml +++ b/charts/msal-proxy/templates/deployment.yaml @@ -1,16 +1,16 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "msal-proxy.fullname" . }} + name: {{ include "easyauth-proxy.fullname" . }} labels: - {{- include "msal-proxy.labels" . | nindent 4 }} + {{- include "easyauth-proxy.labels" . | nindent 4 }} spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} {{- end }} selector: matchLabels: - {{- include "msal-proxy.selectorLabels" . | nindent 6 }} + {{- include "easyauth-proxy.selectorLabels" . | nindent 6 }} template: metadata: {{- with .Values.podAnnotations }} @@ -18,13 +18,13 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} labels: - {{- include "msal-proxy.selectorLabels" . | nindent 8 }} + {{- include "easyauth-proxy.selectorLabels" . | nindent 8 }} spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "msal-proxy.serviceAccountName" . }} + serviceAccountName: {{ include "easyauth-proxy.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} volumes: @@ -51,46 +51,46 @@ spec: port: http env: - name: Logging__LogLevel__Default - value: {{ .Values.env.LogLevel }} - - name: ForceHttps - value: "{{ .Values.env.ForceHttps }}" + value: {{ .Values.logging.logLevel }} - name: EasyAuthForK8s__DataProtectionFileLocation - value: {{ .Values.env.EasyAuthForK8sSigninPath }} + value: {{ .Values.easyAuthForK8s.dataProtectionFileLocation }} - name: EasyAuthForK8s__SigninPath - value: "{{ .Values.env.EasyAuthForK8sSigninPath }}" + value: "{{ .Values.easyAuthForK8s.signinPath }}" - name: EasyAuthForK8s__AuthPath - value: {{ .Values.env.EasyAuthForK8sAuthPath }} + value: {{ .Values.easyAuthForK8s.authPath }} - name: EasyAuthForK8s__AllowBearerToken - value: "{{ .Values.env.EasyAuthForK8sAllowBearerToken }}" + value: "{{ .Values.easyAuthForK8s.allowBearerToken }}" - name: EasyAuthForK8s__DefaultRedirectAfterSignin - value: "{{ .Values.env.EasyAuthForK8sDefaultRedirectAfterSignin }}" + value: "{{ .Values.easyAuthForK8s.defaultRedirectAfterSignin }}" + name: EasyAuthForK8s__CompressCookieClaims + value: "{{ .Values.easyAuthForK8s.compressCookieClaims }}" + - name: EasyAuthForK8s__ResponseHeaderPrefix + value: {{ .Values.easyAuthForK8s.responseHeaderPrefix }} + - name: EasyAuthForK8s__ClaimEncodingMethod + value: "{{ .Values.easyAuthForK8s.claimEncodingMethod }}" + - name: EasyAuthForK8s__HeaderFormatOption + value: "{{ .Values.easyAuthForK8s.headerFormatOption }}" - name: AzureAd__Instance - value: {{ .Values.env.AzureAdInstance }} + value: {{ .Values.azureAd.instance }} - name: AzureAd__Domain - value: {{ .Values.env.AzureAdDomain }} - - name: AzureAd__CallbackPath - value: {{ .Values.env.AzureAdCallbackPath }} - - name: AzureAd__SignedOutCallbackPath - value: {{ .Values.env.AzureAdSignedOutCallbackPath }} - - name: AzureAd__SignUpSignInPolicyId - value: {{ .Values.env.AzureAdSignUpSignInPolicyId }} + value: {{ .Values.azureAd.domain }} - name: AzureAd__TenantId - valueFrom: - secretKeyRef: - name: {{ .Values.env.AzureAdTenantIdKeyRefName }} - key: {{ .Values.env.AzureAdTenantIdKeyRefKey }} + value: {{ .Values.azureAd.tenantId }} - name: AzureAd__ClientId - valueFrom: - secretKeyRef: - name: {{ .Values.env.AzureAdClientIdKeyRefName }} - key: {{ .Values.env.AzureAdClientIdKeyRefKey }} + value: {{ .Values.azureAd.clientId }} + - name: AzureAd__CallbackPath + value: {{ .Values.azureAd.callbackPath }} + - name: AzureAd__SignedOutCallbackPath + value: {{ .Values.azureAd.signedOutCallbackPath }} + - name: AzureAd__SignUpSignInPolicyId + value: {{ .Values.azureAd.signUpSignInPolicyId }} - name: AzureAd__ClientSecret valueFrom: secretKeyRef: name: {{ .Values.env.AzureAdClientSecretKeyRefName }} key: {{ .Values.env.AzureAdClientSecretKeyRefKey }} volumeMounts: - - mountPath: {{ .Values.env.DataProtectionFileLocation }} + - mountPath: {{ .Values.easyAuthForK8s.dataProtectionFileLocation }} name: {{ .Values.volumeName }} resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/msal-proxy/templates/hpa.yaml b/charts/msal-proxy/templates/hpa.yaml index 95dd405..19dfe21 100644 --- a/charts/msal-proxy/templates/hpa.yaml +++ b/charts/msal-proxy/templates/hpa.yaml @@ -2,14 +2,14 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: - name: {{ include "msal-proxy.fullname" . }} + name: {{ include "easyauth-proxy.fullname" . }} labels: - {{- include "msal-proxy.labels" . | nindent 4 }} + {{- include "easyauth-proxy.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "msal-proxy.fullname" . }} + name: {{ include "easyauth-proxy.fullname" . }} minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} metrics: diff --git a/charts/msal-proxy/templates/ingress.yaml b/charts/msal-proxy/templates/ingress.yaml index 84931db..6c6f2d1 100644 --- a/charts/msal-proxy/templates/ingress.yaml +++ b/charts/msal-proxy/templates/ingress.yaml @@ -1,5 +1,5 @@ {{- if .Values.ingress.enabled -}} -{{- $fullName := include "msal-proxy.fullname" . -}} +{{- $fullName := include "easyauth-proxy.fullname" . -}} {{- $svcPort := .Values.service.port -}} {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1beta1 @@ -10,7 +10,7 @@ kind: Ingress metadata: name: {{ $fullName }} labels: - {{- include "msal-proxy.labels" . | nindent 4 }} + {{- include "easyauth-proxy.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/msal-proxy/templates/service.yaml b/charts/msal-proxy/templates/service.yaml index c3e23ea..52e14be 100644 --- a/charts/msal-proxy/templates/service.yaml +++ b/charts/msal-proxy/templates/service.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "msal-proxy.fullname" . }} + name: {{ include "easyauth-proxy.fullname" . }} labels: - {{- include "msal-proxy.labels" . | nindent 4 }} + {{- include "easyauth-proxy.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: @@ -12,4 +12,4 @@ spec: protocol: TCP name: http selector: - {{- include "msal-proxy.selectorLabels" . | nindent 4 }} + {{- include "easyauth-proxy.selectorLabels" . | nindent 4 }} diff --git a/charts/msal-proxy/templates/serviceaccount.yaml b/charts/msal-proxy/templates/serviceaccount.yaml index d02129c..fb18b7b 100644 --- a/charts/msal-proxy/templates/serviceaccount.yaml +++ b/charts/msal-proxy/templates/serviceaccount.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "msal-proxy.serviceAccountName" . }} + name: {{ include "easyauth-proxy.serviceAccountName" . }} labels: - {{- include "msal-proxy.labels" . | nindent 4 }} + {{- include "easyauth-proxy.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} diff --git a/charts/msal-proxy/templates/tests/test-connection.yaml b/charts/msal-proxy/templates/tests/test-connection.yaml index c98be84..42d6572 100644 --- a/charts/msal-proxy/templates/tests/test-connection.yaml +++ b/charts/msal-proxy/templates/tests/test-connection.yaml @@ -1,9 +1,9 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "msal-proxy.fullname" . }}-test-connection" + name: "{{ include "easyauth-proxy.fullname" . }}-test-connection" labels: - {{- include "msal-proxy.labels" . | nindent 4 }} + {{- include "easyauth-proxy.labels" . | nindent 4 }} annotations: "helm.sh/hook": test-success spec: @@ -11,5 +11,5 @@ spec: - name: wget image: busybox command: ['wget'] - args: ['{{ include "msal-proxy.fullname" . }}:{{ .Values.service.port }}'] + args: ['{{ include "easyauth-proxy.fullname" . }}:{{ .Values.service.port }}'] restartPolicy: Never diff --git a/charts/msal-proxy/values.yaml b/charts/msal-proxy/values.yaml index 805c39b..58616c7 100644 --- a/charts/msal-proxy/values.yaml +++ b/charts/msal-proxy/values.yaml @@ -1,4 +1,4 @@ -# Default values for msal-proxy. +# Default values for easyauth-proxy. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -46,13 +46,13 @@ ingress: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: [] -# - host: thfalgou-msal-proxy.southcentralus.cloudapp.azure.com +# - host: thfalgou-easyauth-proxy.southcentralus.cloudapp.azure.com # paths: # - /msal tls: [] # - secretName: ingress-tls-prod # hosts: -# - thfalgou-msal-proxy.southcentralus.cloudapp.azure.com +# - thfalgou-easyauth-proxy.southcentralus.cloudapp.azure.com resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -85,6 +85,55 @@ tolerations: [] affinity: {} + +logging: + logLevel: Information + +azureAd: + instance: "https://login.microsoftonline.com/" + # domain is not required. including one will set the + # "domain hint" during login, that makes it a little easier + # for users to choose the right login account + domain: "" + # the Azure AD tenant that thould be used + tenantId: "" + # app Id of the service principal. + clientId: "" + # there's no reason to change these unless there is a conflict + # such as another easyauth proxy using the same host name + callbackPath: "/easyauth/signin-oidc" + signedOutCallbackPath : "/easyauth/signout-callback-oidc" + # Leave this blank if not B2C + signUpSignInPolicyId: "" + clientSecretKeyRefName: aad-secret + clientSecretKeyRefKey: CLIENT_SECRET + + easyAuthForK8s: + # data protection key ring location + dataProtectionFileLocation: "/mnt/dp" + # there's no reason to change these unless there is a conflict + # such as another easyauth proxy using the same host name + signinPath: "/easyauth/login" + authPath: "/easyauth/auth" + # use bearer token as a fall back for cookies + # normally for API web applications only + allowBearerToken: "false" + # fallback path to redirect user after signin if + # prior page url cannot be determined + defaultRedirectAfterSignin: "/" + # Make the cookie payload as small as possible to avoid having to + # increase the allowed nginx header size. + compressCookieClaims: "true", + # All informational headers sent to the backend will be prefixed with: + responseHeaderPrefix: "x-injected-" + # encoding method used for headers extracted from claims + # valid values are UrlEncode, Base64, None and NoneWithReject + claimEncodingMethod: "UrlEncode" + # how to send the headers + # Separate = a separate header for each claim + # Combined = a single header with a JSON object containing all claims + headerFormatOption: "Separate" + env: ForceHttps: "true" LogLevel: Debug diff --git a/docs/securing-k8s-dashboard.md b/docs/securing-k8s-dashboard.md index 06abd89..9971c44 100644 --- a/docs/securing-k8s-dashboard.md +++ b/docs/securing-k8s-dashboard.md @@ -22,7 +22,7 @@ Each Ingress resource to authenticate requires a FQDN and SSL. For the setup-in ``` # Delete the existing ingress rules -kubectl delete ingress kuard msal-proxy +kubectl delete ingress kuard easyauth-proxy # Ensure the required envirionment variables are set: echo $APP_HOSTNAME @@ -59,14 +59,14 @@ spec: apiVersion: extensions/v1beta1 kind: Ingress metadata: - name: msal-proxy + name: easyauth-proxy spec: rules: - host: $APP_HOSTNAME http: paths: - backend: - serviceName: msal-proxy + serviceName: easyauth-proxy servicePort: 80 path: /msal tls: diff --git a/docs/setup-instructions.md b/docs/setup-instructions.md index c1f1c0a..c427e92 100644 --- a/docs/setup-instructions.md +++ b/docs/setup-instructions.md @@ -187,7 +187,7 @@ echo $CLIENT_SECRET ``` # Go to the root of the repo before running this command -helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy +helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET easyauth-proxy ./charts/easyauth-proxy # Confirm everything was deployed. kubectl get svc,deploy,pod @@ -302,7 +302,7 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: msal-proxy + name: easyauth-proxy annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod @@ -315,7 +315,7 @@ spec: pathType: Prefix backend: service: - name: msal-proxy + name: easyauth-proxy port: number: 80 tls: @@ -357,7 +357,7 @@ It should look something like this: az ad app delete --id $CLIENT_ID helm delete nginx-ingress --purge helm delete cert-manager --purge - helm delete msal-proxy --purge + helm delete easyauth-proxy --purge kubectl delete secret ingress-tls-prod kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml kubectl delete ns cert-manager