Merge branch 'dev' into shlok-official/43-automation-script
This commit is contained in:
Коммит
c73b53001f
|
@ -30,9 +30,20 @@ jobs:
|
||||||
- name: Test
|
- name: Test
|
||||||
run: dotnet test OCP.Msal.Proxy.Tests/OCP.Msal.Proxy.Tests.csproj --no-build --verbosity normal
|
run: dotnet test OCP.Msal.Proxy.Tests/OCP.Msal.Proxy.Tests.csproj --no-build --verbosity normal
|
||||||
|
|
||||||
|
check_for_depreciated_APIs:
|
||||||
|
name: Check Depreciated K8s APIs
|
||||||
|
runs-on: macos-latest
|
||||||
|
needs: build
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- run: brew install FairwindsOps/tap/pluto
|
||||||
|
- run: helm template ./charts/msal-proxy | pluto detect -
|
||||||
|
#- run: pluto detect-files -d ./charts/msal-proxy
|
||||||
|
|
||||||
push_to_registries:
|
push_to_registries:
|
||||||
|
|
||||||
needs: build
|
needs: check_for_depreciated_APIs
|
||||||
name: Push Docker image to multiple registries
|
name: Push Docker image to multiple registries
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
permissions:
|
permissions:
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
# This is a basic workflow to help you get started with Actions
|
||||||
|
|
||||||
|
name: Check deprecated APIs
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
mac:
|
||||||
|
runs-on: macos-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v2
|
||||||
|
- run: brew install FairwindsOps/tap/pluto
|
||||||
|
- run: helm template ./charts/msal-proxy | pluto detect -
|
||||||
|
|
||||||
|
#pluto detect-files -d ./
|
|
@ -4,23 +4,12 @@
|
||||||
|
|
||||||
echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
|
echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
|
||||||
|
|
||||||
echo "BEGIN @ $(date +"%T"): Deploying secret..."
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
kubectl create secret generic aad-secret \
|
|
||||||
--from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
|
|
||||||
--from-literal=CLIENT_ID=$CLIENT_ID \
|
|
||||||
--from-literal=CLIENT_SECRET=$CLIENT_SECRET
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
echo "COMPLETE @ $(date +"%T"): Deploying secret"
|
|
||||||
|
|
||||||
# kubectl apply -f msal-net-proxy.yaml
|
# kubectl apply -f msal-net-proxy.yaml
|
||||||
|
|
||||||
echo "BEGIN @ $(date +"%T"): Calling Helm..."
|
echo "BEGIN @ $(date +"%T"): Calling Helm..."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
helm install msal-proxy ./charts/msal-proxy
|
helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "COMPLETE @ $(date +"%T"): Calling Helm"
|
echo "COMPLETE @ $(date +"%T"): Calling Helm"
|
||||||
|
|
|
@ -1,15 +0,0 @@
|
||||||
kind: StorageClass
|
|
||||||
apiVersion: storage.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: azurefile
|
|
||||||
provisioner: kubernetes.io/azure-file
|
|
||||||
mountOptions:
|
|
||||||
- dir_mode=0777
|
|
||||||
- file_mode=0777
|
|
||||||
- uid=1000
|
|
||||||
- gid=1000
|
|
||||||
- mfsymlinks
|
|
||||||
- nobrl
|
|
||||||
- cache=none
|
|
||||||
parameters:
|
|
||||||
skuName: Standard_LRS
|
|
|
@ -1,21 +0,0 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: system:azure-cloud-provider
|
|
||||||
rules:
|
|
||||||
- apiGroups: ['']
|
|
||||||
resources: ['secrets']
|
|
||||||
verbs: ['get','create']
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: system:azure-cloud-provider
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
name: system:azure-cloud-provider
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: persistent-volume-binder
|
|
||||||
namespace: kube-system
|
|
|
@ -1,11 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
metadata:
|
|
||||||
name: msal-net-proxy-az-file-pv-claim
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteMany
|
|
||||||
storageClassName: azurefile
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 5Gi
|
|
|
@ -34,6 +34,11 @@ metadata:
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: nginx
|
kubernetes.io/ingress.class: nginx
|
||||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||||
|
nginx.ingress.kubernetes.io/proxy-buffering: "on"
|
||||||
|
nginx.ingress.kubernetes.io/proxy-buffers: "4"
|
||||||
|
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
|
||||||
|
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
|
||||||
|
nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "1024m"
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: {{APP_HOSTNAME}}
|
- host: {{APP_HOSTNAME}}
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: {{ .Values.secret.name}}
|
||||||
|
namespace: default
|
||||||
|
type: Opaque
|
||||||
|
data:
|
||||||
|
{{ .Values.env.AzureAdTenantIdKeyRefKey}}: {{ .Values.secret.azureadtenantid | b64enc }}
|
||||||
|
{{ .Values.env.AzureAdClientIdKeyRefKey}}: {{ .Values.secret.azureadclientid | b64enc }}
|
||||||
|
{{ .Values.env.AzureAdClientSecretKeyRefKey}}: {{ .Values.secret.azureclientsecret | b64enc }}
|
|
@ -66,6 +66,12 @@ resources: {}
|
||||||
# cpu: 100m
|
# cpu: 100m
|
||||||
# memory: 128Mi
|
# memory: 128Mi
|
||||||
|
|
||||||
|
secret:
|
||||||
|
name: aad-secret
|
||||||
|
azureadtenantid: tenantid
|
||||||
|
azureadclientid: clientid
|
||||||
|
azureclientsecret: clientsecret
|
||||||
|
|
||||||
autoscaling:
|
autoscaling:
|
||||||
enabled: false
|
enabled: false
|
||||||
minReplicas: 1
|
minReplicas: 1
|
||||||
|
|
|
@ -102,7 +102,7 @@ echo $INGRESS_HOST
|
||||||
# This should be the same as the $APP_HOSTNAME
|
# This should be the same as the $APP_HOSTNAME
|
||||||
```
|
```
|
||||||
|
|
||||||
## Register AAD Application
|
## Register AAD Application (Skip if you are registering AAD B2C)
|
||||||
|
|
||||||
```
|
```
|
||||||
# The default app created has permissions we don't need and can cause problem if you are in a more restricted tenant environment
|
# The default app created has permissions we don't need and can cause problem if you are in a more restricted tenant environment
|
||||||
|
@ -144,17 +144,50 @@ AZURE_TENANT_ID=$(az account show -o json | jq '.tenantId' -r)
|
||||||
echo $AZURE_TENANT_ID
|
echo $AZURE_TENANT_ID
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Register AAD B2C Application (Skip if you have registered an AAD Application)
|
||||||
|
|
||||||
|
```
|
||||||
|
# Create an Azure AD B2C tenant
|
||||||
|
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
|
||||||
|
|
||||||
|
# Get the name that will be used during registration
|
||||||
|
echo $AD_APP_NAME
|
||||||
|
|
||||||
|
# Get the Redirect URI that will be used during registration
|
||||||
|
echo $REPLY_URLS
|
||||||
|
|
||||||
|
# Register a web application in your AAD B2C tenant with the variables echoed above
|
||||||
|
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
|
||||||
|
|
||||||
|
# Enable ID Tokens
|
||||||
|
# Go to the 'Authentication' tab, under 'Implicit grant and hybrid flows' check 'ID tokens (used for implicit and hybrid flows)'
|
||||||
|
|
||||||
|
# !!NOTE: Replace everything including the { }
|
||||||
|
# When you have registered your application, go to the 'Overview' tab of your registered web application and set the current variables
|
||||||
|
CLIENT_ID={Replace with copied 'Application (client) ID'}
|
||||||
|
OBJECT_ID={Replace with 'Object ID'}
|
||||||
|
AZURE_TENANT_ID={Replace with 'Directory (tenant) ID'}
|
||||||
|
|
||||||
|
# Create a client secret
|
||||||
|
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#create-a-client-secret
|
||||||
|
|
||||||
|
# !!NOTE: Replace everything including the { }
|
||||||
|
# Record the value into a variable
|
||||||
|
CLIENT_SECRET={Replace with copied client secret value}
|
||||||
|
|
||||||
|
# Confirm all variables were set
|
||||||
|
echo $CLIENT_ID
|
||||||
|
echo $OBJECT_ID
|
||||||
|
echo $AZURE_TENANT_ID
|
||||||
|
echo $CLIENT_SECRET
|
||||||
|
```
|
||||||
|
|
||||||
## Deploy MSAL Proxy
|
## Deploy MSAL Proxy
|
||||||
|
|
||||||
```
|
```
|
||||||
kubectl create secret generic aad-secret \
|
|
||||||
--from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
|
|
||||||
--from-literal=CLIENT_ID=$CLIENT_ID \
|
|
||||||
--from-literal=CLIENT_SECRET=$CLIENT_SECRET
|
|
||||||
|
|
||||||
|
|
||||||
# Go to the root of the repo before running this command
|
# Go to the root of the repo before running this command
|
||||||
helm install msal-proxy ./charts/msal-proxy
|
helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
|
||||||
|
|
||||||
# Confirm everything was deployed.
|
# Confirm everything was deployed.
|
||||||
kubectl get svc,deploy,pod
|
kubectl get svc,deploy,pod
|
||||||
|
|
29
main.sh
29
main.sh
|
@ -34,7 +34,6 @@ echo ""
|
||||||
echo "BEGIN @ $(date +"%T"): Set variables..."
|
echo "BEGIN @ $(date +"%T"): Set variables..."
|
||||||
|
|
||||||
# Initialize Variables for flags
|
# Initialize Variables for flags
|
||||||
ITERATION=''
|
|
||||||
AD_APP_NAME=''
|
AD_APP_NAME=''
|
||||||
CLUSTER_NAME=''
|
CLUSTER_NAME=''
|
||||||
CLUSTER_RG=''
|
CLUSTER_RG=''
|
||||||
|
@ -42,8 +41,6 @@ EMAIL=''
|
||||||
EMAIL_DOMAIN=''
|
EMAIL_DOMAIN=''
|
||||||
LOCATION=''
|
LOCATION=''
|
||||||
INPUTIMAGE=''
|
INPUTIMAGE=''
|
||||||
NAMESPACE=''
|
|
||||||
CLIENTID='' # The only thing I really need is CLIENT ID. With the client ID, we can skip creating the AAD App.
|
|
||||||
SKIP_CLUSTER_CREATION=''
|
SKIP_CLUSTER_CREATION=''
|
||||||
|
|
||||||
while getopts "a:c:r:e:d:l:i:n:s:p:h" OPTION
|
while getopts "a:c:r:e:d:l:i:n:s:p:h" OPTION
|
||||||
|
@ -51,13 +48,13 @@ do
|
||||||
case $OPTION in
|
case $OPTION in
|
||||||
a)
|
a)
|
||||||
# echo "The value of -a is ${OPTARG} - AD_APP_NAME"
|
# echo "The value of -a is ${OPTARG} - AD_APP_NAME"
|
||||||
AD_APP_NAME=$OPTARG$ITERATION ;;
|
AD_APP_NAME=$OPTARG ;;
|
||||||
c)
|
c)
|
||||||
# echo "The value of -c is ${OPTARG} - CLUSTER_NAME"
|
# echo "The value of -c is ${OPTARG} - CLUSTER_NAME"
|
||||||
CLUSTER_NAME=$OPTARG$ITERATION ;;
|
CLUSTER_NAME=$OPTARG ;;
|
||||||
r)
|
r)
|
||||||
# echo "The value of -r is ${OPTARG} - CLUSTER_RG"
|
# echo "The value of -r is ${OPTARG} - CLUSTER_RG"
|
||||||
CLUSTER_RG=$OPTARG$ITERATION ;;
|
CLUSTER_RG=$OPTARG ;;
|
||||||
e)
|
e)
|
||||||
# echo "The value of -e is ${OPTARG} - EMAIL"
|
# echo "The value of -e is ${OPTARG} - EMAIL"
|
||||||
EMAIL=$OPTARG ;;
|
EMAIL=$OPTARG ;;
|
||||||
|
@ -70,12 +67,6 @@ do
|
||||||
i)
|
i)
|
||||||
# echo "The value of -i is ${OPTARG} - INPUTIMAGE"
|
# echo "The value of -i is ${OPTARG} - INPUTIMAGE"
|
||||||
INPUTIMAGE=$OPTARG ;;
|
INPUTIMAGE=$OPTARG ;;
|
||||||
n)
|
|
||||||
# echo "The value of -n is ${OPTARG} - NAMESPACE"
|
|
||||||
NAMESPACE=$OPTARG ;;
|
|
||||||
s)
|
|
||||||
# echo "The value of -s is ${OPTARG} - CLIENTID"
|
|
||||||
CLIENTID=$OPTARG ;;
|
|
||||||
p)
|
p)
|
||||||
# echo "The value of -p is ${OPTARG} - SKIP_CLUSTER_CREATION"
|
# echo "The value of -p is ${OPTARG} - SKIP_CLUSTER_CREATION"
|
||||||
SKIP_CLUSTER_CREATION=$OPTARG ;;
|
SKIP_CLUSTER_CREATION=$OPTARG ;;
|
||||||
|
@ -89,8 +80,6 @@ do
|
||||||
echo "REQUIRED: -d is for EMAIL_DOMAIN"
|
echo "REQUIRED: -d is for EMAIL_DOMAIN"
|
||||||
echo "REQUIRED: -l is for LOCATION"
|
echo "REQUIRED: -l is for LOCATION"
|
||||||
echo "OPTOINAL: -i is for INPUTIMAGE"
|
echo "OPTOINAL: -i is for INPUTIMAGE"
|
||||||
echo "OPTOINAL: -n is for NAMESPACE"
|
|
||||||
echo "OPTOINAL: -s is for CLIENTID"
|
|
||||||
echo "OPTOINAL: -p is for SKIP_CLUSTER_CREATION"
|
echo "OPTOINAL: -p is for SKIP_CLUSTER_CREATION"
|
||||||
exit ;;
|
exit ;;
|
||||||
esac
|
esac
|
||||||
|
@ -103,19 +92,10 @@ if [ -z "$AD_APP_NAME" ] || [ -z "$CLUSTER_NAME" ] || [ -z "$CLUSTER_RG" ] || [
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If there is no flag set for SKIP_CLUSTER_CREATION, then create a random iteration.
|
|
||||||
if [ -z "$SKIP_CLUSTER_CREATION" ]; then
|
|
||||||
ITERATION=$RANDOM
|
|
||||||
else
|
|
||||||
ITERATION=''
|
|
||||||
fi
|
|
||||||
|
|
||||||
APP_HOSTNAME="$AD_APP_NAME.$LOCATION.cloudapp.azure.com"
|
APP_HOSTNAME="$AD_APP_NAME.$LOCATION.cloudapp.azure.com"
|
||||||
HOMEPAGE=https://$APP_HOSTNAME
|
HOMEPAGE=https://$APP_HOSTNAME
|
||||||
IDENTIFIER_URIS=$HOMEPAGE
|
IDENTIFIER_URIS=$HOMEPAGE
|
||||||
REPLY_URLS=https://$APP_HOSTNAME/msal/signin-oidc
|
REPLY_URLS=https://$APP_HOSTNAME/msal/signin-oidc
|
||||||
COOKIE_SECRET=$(python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("utf-8"))')
|
|
||||||
INGRESS_IP=0
|
|
||||||
|
|
||||||
echo "The value of -a is $AD_APP_NAME - AD_APP_NAME"
|
echo "The value of -a is $AD_APP_NAME - AD_APP_NAME"
|
||||||
echo "The value of -c is $CLUSTER_NAME - CLUSTER_NAME"
|
echo "The value of -c is $CLUSTER_NAME - CLUSTER_NAME"
|
||||||
|
@ -124,10 +104,7 @@ echo "The value of -e is $EMAIL - EMAIL"
|
||||||
echo "The value of -d is $EMAIL_DOMAIN - EMAIL_DOMAIN"
|
echo "The value of -d is $EMAIL_DOMAIN - EMAIL_DOMAIN"
|
||||||
echo "The value of -l is $LOCATION - LOCATION"
|
echo "The value of -l is $LOCATION - LOCATION"
|
||||||
echo "The value of -i is $INPUTIMAGE - INPUTIMAGE"
|
echo "The value of -i is $INPUTIMAGE - INPUTIMAGE"
|
||||||
echo "The value of -n is $NAMESPACE - NAMESPACE"
|
|
||||||
echo "The value of -s is $CLIENTID - CLIENTID"
|
|
||||||
echo "The value of -p is $SKIP_CLUSTER_CREATION - SKIP_CLUSTER_CREATION"
|
echo "The value of -p is $SKIP_CLUSTER_CREATION - SKIP_CLUSTER_CREATION"
|
||||||
echo "COOKIE_SECRET: " $COOKIE_SECRET
|
|
||||||
echo "COMPLETE @ $(date +"%T"): Setting variables"
|
echo "COMPLETE @ $(date +"%T"): Setting variables"
|
||||||
|
|
||||||
|
|
||||||
|
|
Загрузка…
Ссылка в новой задаче