diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2b138f2..2ee6734 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,9 +30,20 @@ jobs: - name: Test run: dotnet test OCP.Msal.Proxy.Tests/OCP.Msal.Proxy.Tests.csproj --no-build --verbosity normal + check_for_depreciated_APIs: + name: Check Depreciated K8s APIs + runs-on: macos-latest + needs: build + + steps: + - uses: actions/checkout@v2 + - run: brew install FairwindsOps/tap/pluto + - run: helm template ./charts/msal-proxy | pluto detect - + #- run: pluto detect-files -d ./charts/msal-proxy + push_to_registries: - needs: build + needs: check_for_depreciated_APIs name: Push Docker image to multiple registries runs-on: ubuntu-latest permissions: diff --git a/.github/workflows/pluto.yml b/.github/workflows/pluto.yml new file mode 100644 index 0000000..83c14c4 --- /dev/null +++ b/.github/workflows/pluto.yml @@ -0,0 +1,17 @@ +# This is a basic workflow to help you get started with Actions + +name: Check deprecated APIs + +on: + push: + workflow_dispatch: + +jobs: + mac: + runs-on: macos-latest + steps: + - uses: actions/checkout@v2 + - run: brew install FairwindsOps/tap/pluto + - run: helm template ./charts/msal-proxy | pluto detect - + + #pluto detect-files -d ./ diff --git a/AutomationScripts/4-deployMSALProxy.sh b/AutomationScripts/4-deployMSALProxy.sh index 0feb057..e71b767 100644 --- a/AutomationScripts/4-deployMSALProxy.sh +++ b/AutomationScripts/4-deployMSALProxy.sh @@ -4,23 +4,12 @@ echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..." -echo "BEGIN @ $(date +"%T"): Deploying secret..." -echo "" - -kubectl create secret generic aad-secret \ - --from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \ - --from-literal=CLIENT_ID=$CLIENT_ID \ - --from-literal=CLIENT_SECRET=$CLIENT_SECRET - -echo "" -echo "COMPLETE @ $(date +"%T"): Deploying secret" - # kubectl apply -f msal-net-proxy.yaml echo "BEGIN @ $(date +"%T"): Calling Helm..." echo "" -helm install msal-proxy ./charts/msal-proxy +helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy echo "" echo "COMPLETE @ $(date +"%T"): Calling Helm" diff --git a/TemplateFiles/azure-files-storage-class.yaml b/TemplateFiles/azure-files-storage-class.yaml deleted file mode 100644 index 98d2079..0000000 --- a/TemplateFiles/azure-files-storage-class.yaml +++ /dev/null @@ -1,15 +0,0 @@ -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: azurefile -provisioner: kubernetes.io/azure-file -mountOptions: - - dir_mode=0777 - - file_mode=0777 - - uid=1000 - - gid=1000 - - mfsymlinks - - nobrl - - cache=none -parameters: - skuName: Standard_LRS diff --git a/TemplateFiles/azure-pvc-roles.yaml b/TemplateFiles/azure-pvc-roles.yaml deleted file mode 100644 index 9c941a6..0000000 --- a/TemplateFiles/azure-pvc-roles.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:azure-cloud-provider -rules: -- apiGroups: [''] - resources: ['secrets'] - verbs: ['get','create'] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:azure-cloud-provider -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: system:azure-cloud-provider -subjects: -- kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system diff --git a/TemplateFiles/data-protection-persistent-claim.yaml b/TemplateFiles/data-protection-persistent-claim.yaml deleted file mode 100644 index cd81620..0000000 --- a/TemplateFiles/data-protection-persistent-claim.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: msal-net-proxy-az-file-pv-claim -spec: - accessModes: - - ReadWriteMany - storageClassName: azurefile - resources: - requests: - storage: 5Gi diff --git a/TemplateFiles/kuard-ingress.yaml b/TemplateFiles/kuard-ingress.yaml index 84368df..5db2caf 100644 --- a/TemplateFiles/kuard-ingress.yaml +++ b/TemplateFiles/kuard-ingress.yaml @@ -34,6 +34,11 @@ metadata: annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/proxy-buffering: "on" + nginx.ingress.kubernetes.io/proxy-buffers: "4" + nginx.ingress.kubernetes.io/proxy-buffers-number: "4" + nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" + nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "1024m" spec: rules: - host: {{APP_HOSTNAME}} diff --git a/charts/msal-proxy/templates/secret.yaml b/charts/msal-proxy/templates/secret.yaml new file mode 100644 index 0000000..5fad563 --- /dev/null +++ b/charts/msal-proxy/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.secret.name}} + namespace: default +type: Opaque +data: + {{ .Values.env.AzureAdTenantIdKeyRefKey}}: {{ .Values.secret.azureadtenantid | b64enc }} + {{ .Values.env.AzureAdClientIdKeyRefKey}}: {{ .Values.secret.azureadclientid | b64enc }} + {{ .Values.env.AzureAdClientSecretKeyRefKey}}: {{ .Values.secret.azureclientsecret | b64enc }} \ No newline at end of file diff --git a/charts/msal-proxy/values.yaml b/charts/msal-proxy/values.yaml index 1980b24..a80232d 100644 --- a/charts/msal-proxy/values.yaml +++ b/charts/msal-proxy/values.yaml @@ -66,6 +66,12 @@ resources: {} # cpu: 100m # memory: 128Mi +secret: + name: aad-secret + azureadtenantid: tenantid + azureadclientid: clientid + azureclientsecret: clientsecret + autoscaling: enabled: false minReplicas: 1 diff --git a/docs/setup-instructions.md b/docs/setup-instructions.md index e4b1608..d24096d 100644 --- a/docs/setup-instructions.md +++ b/docs/setup-instructions.md @@ -102,7 +102,7 @@ echo $INGRESS_HOST # This should be the same as the $APP_HOSTNAME ``` -## Register AAD Application +## Register AAD Application (Skip if you are registering AAD B2C) ``` # The default app created has permissions we don't need and can cause problem if you are in a more restricted tenant environment @@ -144,17 +144,50 @@ AZURE_TENANT_ID=$(az account show -o json | jq '.tenantId' -r) echo $AZURE_TENANT_ID ``` +## Register AAD B2C Application (Skip if you have registered an AAD Application) + +``` +# Create an Azure AD B2C tenant +Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant + +# Get the name that will be used during registration +echo $AD_APP_NAME + +# Get the Redirect URI that will be used during registration +echo $REPLY_URLS + +# Register a web application in your AAD B2C tenant with the variables echoed above +Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga + +# Enable ID Tokens +# Go to the 'Authentication' tab, under 'Implicit grant and hybrid flows' check 'ID tokens (used for implicit and hybrid flows)' + +# !!NOTE: Replace everything including the { } +# When you have registered your application, go to the 'Overview' tab of your registered web application and set the current variables +CLIENT_ID={Replace with copied 'Application (client) ID'} +OBJECT_ID={Replace with 'Object ID'} +AZURE_TENANT_ID={Replace with 'Directory (tenant) ID'} + +# Create a client secret +Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#create-a-client-secret + +# !!NOTE: Replace everything including the { } +# Record the value into a variable +CLIENT_SECRET={Replace with copied client secret value} + +# Confirm all variables were set +echo $CLIENT_ID +echo $OBJECT_ID +echo $AZURE_TENANT_ID +echo $CLIENT_SECRET +``` + ## Deploy MSAL Proxy ``` -kubectl create secret generic aad-secret \ - --from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \ - --from-literal=CLIENT_ID=$CLIENT_ID \ - --from-literal=CLIENT_SECRET=$CLIENT_SECRET - # Go to the root of the repo before running this command -helm install msal-proxy ./charts/msal-proxy +helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy # Confirm everything was deployed. kubectl get svc,deploy,pod diff --git a/main.sh b/main.sh index b9a9c5b..f460721 100644 --- a/main.sh +++ b/main.sh @@ -34,7 +34,6 @@ echo "" echo "BEGIN @ $(date +"%T"): Set variables..." # Initialize Variables for flags -ITERATION='' AD_APP_NAME='' CLUSTER_NAME='' CLUSTER_RG='' @@ -42,8 +41,6 @@ EMAIL='' EMAIL_DOMAIN='' LOCATION='' INPUTIMAGE='' -NAMESPACE='' -CLIENTID='' # The only thing I really need is CLIENT ID. With the client ID, we can skip creating the AAD App. SKIP_CLUSTER_CREATION='' while getopts "a:c:r:e:d:l:i:n:s:p:h" OPTION @@ -51,13 +48,13 @@ do case $OPTION in a) # echo "The value of -a is ${OPTARG} - AD_APP_NAME" - AD_APP_NAME=$OPTARG$ITERATION ;; + AD_APP_NAME=$OPTARG ;; c) # echo "The value of -c is ${OPTARG} - CLUSTER_NAME" - CLUSTER_NAME=$OPTARG$ITERATION ;; + CLUSTER_NAME=$OPTARG ;; r) # echo "The value of -r is ${OPTARG} - CLUSTER_RG" - CLUSTER_RG=$OPTARG$ITERATION ;; + CLUSTER_RG=$OPTARG ;; e) # echo "The value of -e is ${OPTARG} - EMAIL" EMAIL=$OPTARG ;; @@ -70,12 +67,6 @@ do i) # echo "The value of -i is ${OPTARG} - INPUTIMAGE" INPUTIMAGE=$OPTARG ;; - n) - # echo "The value of -n is ${OPTARG} - NAMESPACE" - NAMESPACE=$OPTARG ;; - s) - # echo "The value of -s is ${OPTARG} - CLIENTID" - CLIENTID=$OPTARG ;; p) # echo "The value of -p is ${OPTARG} - SKIP_CLUSTER_CREATION" SKIP_CLUSTER_CREATION=$OPTARG ;; @@ -89,8 +80,6 @@ do echo "REQUIRED: -d is for EMAIL_DOMAIN" echo "REQUIRED: -l is for LOCATION" echo "OPTOINAL: -i is for INPUTIMAGE" - echo "OPTOINAL: -n is for NAMESPACE" - echo "OPTOINAL: -s is for CLIENTID" echo "OPTOINAL: -p is for SKIP_CLUSTER_CREATION" exit ;; esac @@ -103,19 +92,10 @@ if [ -z "$AD_APP_NAME" ] || [ -z "$CLUSTER_NAME" ] || [ -z "$CLUSTER_RG" ] || [ exit fi -# If there is no flag set for SKIP_CLUSTER_CREATION, then create a random iteration. -if [ -z "$SKIP_CLUSTER_CREATION" ]; then - ITERATION=$RANDOM -else - ITERATION='' -fi - APP_HOSTNAME="$AD_APP_NAME.$LOCATION.cloudapp.azure.com" HOMEPAGE=https://$APP_HOSTNAME IDENTIFIER_URIS=$HOMEPAGE REPLY_URLS=https://$APP_HOSTNAME/msal/signin-oidc -COOKIE_SECRET=$(python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("utf-8"))') -INGRESS_IP=0 echo "The value of -a is $AD_APP_NAME - AD_APP_NAME" echo "The value of -c is $CLUSTER_NAME - CLUSTER_NAME" @@ -124,10 +104,7 @@ echo "The value of -e is $EMAIL - EMAIL" echo "The value of -d is $EMAIL_DOMAIN - EMAIL_DOMAIN" echo "The value of -l is $LOCATION - LOCATION" echo "The value of -i is $INPUTIMAGE - INPUTIMAGE" -echo "The value of -n is $NAMESPACE - NAMESPACE" -echo "The value of -s is $CLIENTID - CLIENTID" echo "The value of -p is $SKIP_CLUSTER_CREATION - SKIP_CLUSTER_CREATION" -echo "COOKIE_SECRET: " $COOKIE_SECRET echo "COMPLETE @ $(date +"%T"): Setting variables"