Merge branch 'dev' into shlok-official/43-automation-script

This commit is contained in:
Danielkon96 2021-10-14 17:06:01 +00:00
Родитель a888831e7c 9588cee8be
Коммит c73b53001f
11 изменённых файлов: 94 добавлений и 93 удалений

13
.github/workflows/ci.yml поставляемый
Просмотреть файл

@ -30,9 +30,20 @@ jobs:
- name: Test - name: Test
run: dotnet test OCP.Msal.Proxy.Tests/OCP.Msal.Proxy.Tests.csproj --no-build --verbosity normal run: dotnet test OCP.Msal.Proxy.Tests/OCP.Msal.Proxy.Tests.csproj --no-build --verbosity normal
check_for_depreciated_APIs:
name: Check Depreciated K8s APIs
runs-on: macos-latest
needs: build
steps:
- uses: actions/checkout@v2
- run: brew install FairwindsOps/tap/pluto
- run: helm template ./charts/msal-proxy | pluto detect -
#- run: pluto detect-files -d ./charts/msal-proxy
push_to_registries: push_to_registries:
needs: build needs: check_for_depreciated_APIs
name: Push Docker image to multiple registries name: Push Docker image to multiple registries
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:

17
.github/workflows/pluto.yml поставляемый Normal file
Просмотреть файл

@ -0,0 +1,17 @@
# This is a basic workflow to help you get started with Actions
name: Check deprecated APIs
on:
push:
workflow_dispatch:
jobs:
mac:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- run: brew install FairwindsOps/tap/pluto
- run: helm template ./charts/msal-proxy | pluto detect -
#pluto detect-files -d ./

Просмотреть файл

@ -4,23 +4,12 @@
echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..." echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
echo "BEGIN @ $(date +"%T"): Deploying secret..."
echo ""
kubectl create secret generic aad-secret \
--from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
--from-literal=CLIENT_ID=$CLIENT_ID \
--from-literal=CLIENT_SECRET=$CLIENT_SECRET
echo ""
echo "COMPLETE @ $(date +"%T"): Deploying secret"
# kubectl apply -f msal-net-proxy.yaml # kubectl apply -f msal-net-proxy.yaml
echo "BEGIN @ $(date +"%T"): Calling Helm..." echo "BEGIN @ $(date +"%T"): Calling Helm..."
echo "" echo ""
helm install msal-proxy ./charts/msal-proxy helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
echo "" echo ""
echo "COMPLETE @ $(date +"%T"): Calling Helm" echo "COMPLETE @ $(date +"%T"): Calling Helm"

Просмотреть файл

@ -1,15 +0,0 @@
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: azurefile
provisioner: kubernetes.io/azure-file
mountOptions:
- dir_mode=0777
- file_mode=0777
- uid=1000
- gid=1000
- mfsymlinks
- nobrl
- cache=none
parameters:
skuName: Standard_LRS

Просмотреть файл

@ -1,21 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:azure-cloud-provider
rules:
- apiGroups: ['']
resources: ['secrets']
verbs: ['get','create']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:azure-cloud-provider
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:azure-cloud-provider
subjects:
- kind: ServiceAccount
name: persistent-volume-binder
namespace: kube-system

Просмотреть файл

@ -1,11 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: msal-net-proxy-az-file-pv-claim
spec:
accessModes:
- ReadWriteMany
storageClassName: azurefile
resources:
requests:
storage: 5Gi

Просмотреть файл

@ -34,6 +34,11 @@ metadata:
annotations: annotations:
kubernetes.io/ingress.class: nginx kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers: "4"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "1024m"
spec: spec:
rules: rules:
- host: {{APP_HOSTNAME}} - host: {{APP_HOSTNAME}}

Просмотреть файл

@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.secret.name}}
namespace: default
type: Opaque
data:
{{ .Values.env.AzureAdTenantIdKeyRefKey}}: {{ .Values.secret.azureadtenantid | b64enc }}
{{ .Values.env.AzureAdClientIdKeyRefKey}}: {{ .Values.secret.azureadclientid | b64enc }}
{{ .Values.env.AzureAdClientSecretKeyRefKey}}: {{ .Values.secret.azureclientsecret | b64enc }}

Просмотреть файл

@ -66,6 +66,12 @@ resources: {}
# cpu: 100m # cpu: 100m
# memory: 128Mi # memory: 128Mi
secret:
name: aad-secret
azureadtenantid: tenantid
azureadclientid: clientid
azureclientsecret: clientsecret
autoscaling: autoscaling:
enabled: false enabled: false
minReplicas: 1 minReplicas: 1

Просмотреть файл

@ -102,7 +102,7 @@ echo $INGRESS_HOST
# This should be the same as the $APP_HOSTNAME # This should be the same as the $APP_HOSTNAME
``` ```
## Register AAD Application ## Register AAD Application (Skip if you are registering AAD B2C)
``` ```
# The default app created has permissions we don't need and can cause problem if you are in a more restricted tenant environment # The default app created has permissions we don't need and can cause problem if you are in a more restricted tenant environment
@ -144,17 +144,50 @@ AZURE_TENANT_ID=$(az account show -o json | jq '.tenantId' -r)
echo $AZURE_TENANT_ID echo $AZURE_TENANT_ID
``` ```
## Register AAD B2C Application (Skip if you have registered an AAD Application)
```
# Create an Azure AD B2C tenant
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
# Get the name that will be used during registration
echo $AD_APP_NAME
# Get the Redirect URI that will be used during registration
echo $REPLY_URLS
# Register a web application in your AAD B2C tenant with the variables echoed above
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
# Enable ID Tokens
# Go to the 'Authentication' tab, under 'Implicit grant and hybrid flows' check 'ID tokens (used for implicit and hybrid flows)'
# !!NOTE: Replace everything including the { }
# When you have registered your application, go to the 'Overview' tab of your registered web application and set the current variables
CLIENT_ID={Replace with copied 'Application (client) ID'}
OBJECT_ID={Replace with 'Object ID'}
AZURE_TENANT_ID={Replace with 'Directory (tenant) ID'}
# Create a client secret
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#create-a-client-secret
# !!NOTE: Replace everything including the { }
# Record the value into a variable
CLIENT_SECRET={Replace with copied client secret value}
# Confirm all variables were set
echo $CLIENT_ID
echo $OBJECT_ID
echo $AZURE_TENANT_ID
echo $CLIENT_SECRET
```
## Deploy MSAL Proxy ## Deploy MSAL Proxy
``` ```
kubectl create secret generic aad-secret \
--from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
--from-literal=CLIENT_ID=$CLIENT_ID \
--from-literal=CLIENT_SECRET=$CLIENT_SECRET
# Go to the root of the repo before running this command # Go to the root of the repo before running this command
helm install msal-proxy ./charts/msal-proxy helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
# Confirm everything was deployed. # Confirm everything was deployed.
kubectl get svc,deploy,pod kubectl get svc,deploy,pod

29
main.sh
Просмотреть файл

@ -34,7 +34,6 @@ echo ""
echo "BEGIN @ $(date +"%T"): Set variables..." echo "BEGIN @ $(date +"%T"): Set variables..."
# Initialize Variables for flags # Initialize Variables for flags
ITERATION=''
AD_APP_NAME='' AD_APP_NAME=''
CLUSTER_NAME='' CLUSTER_NAME=''
CLUSTER_RG='' CLUSTER_RG=''
@ -42,8 +41,6 @@ EMAIL=''
EMAIL_DOMAIN='' EMAIL_DOMAIN=''
LOCATION='' LOCATION=''
INPUTIMAGE='' INPUTIMAGE=''
NAMESPACE=''
CLIENTID='' # The only thing I really need is CLIENT ID. With the client ID, we can skip creating the AAD App.
SKIP_CLUSTER_CREATION='' SKIP_CLUSTER_CREATION=''
while getopts "a:c:r:e:d:l:i:n:s:p:h" OPTION while getopts "a:c:r:e:d:l:i:n:s:p:h" OPTION
@ -51,13 +48,13 @@ do
case $OPTION in case $OPTION in
a) a)
# echo "The value of -a is ${OPTARG} - AD_APP_NAME" # echo "The value of -a is ${OPTARG} - AD_APP_NAME"
AD_APP_NAME=$OPTARG$ITERATION ;; AD_APP_NAME=$OPTARG ;;
c) c)
# echo "The value of -c is ${OPTARG} - CLUSTER_NAME" # echo "The value of -c is ${OPTARG} - CLUSTER_NAME"
CLUSTER_NAME=$OPTARG$ITERATION ;; CLUSTER_NAME=$OPTARG ;;
r) r)
# echo "The value of -r is ${OPTARG} - CLUSTER_RG" # echo "The value of -r is ${OPTARG} - CLUSTER_RG"
CLUSTER_RG=$OPTARG$ITERATION ;; CLUSTER_RG=$OPTARG ;;
e) e)
# echo "The value of -e is ${OPTARG} - EMAIL" # echo "The value of -e is ${OPTARG} - EMAIL"
EMAIL=$OPTARG ;; EMAIL=$OPTARG ;;
@ -70,12 +67,6 @@ do
i) i)
# echo "The value of -i is ${OPTARG} - INPUTIMAGE" # echo "The value of -i is ${OPTARG} - INPUTIMAGE"
INPUTIMAGE=$OPTARG ;; INPUTIMAGE=$OPTARG ;;
n)
# echo "The value of -n is ${OPTARG} - NAMESPACE"
NAMESPACE=$OPTARG ;;
s)
# echo "The value of -s is ${OPTARG} - CLIENTID"
CLIENTID=$OPTARG ;;
p) p)
# echo "The value of -p is ${OPTARG} - SKIP_CLUSTER_CREATION" # echo "The value of -p is ${OPTARG} - SKIP_CLUSTER_CREATION"
SKIP_CLUSTER_CREATION=$OPTARG ;; SKIP_CLUSTER_CREATION=$OPTARG ;;
@ -89,8 +80,6 @@ do
echo "REQUIRED: -d is for EMAIL_DOMAIN" echo "REQUIRED: -d is for EMAIL_DOMAIN"
echo "REQUIRED: -l is for LOCATION" echo "REQUIRED: -l is for LOCATION"
echo "OPTOINAL: -i is for INPUTIMAGE" echo "OPTOINAL: -i is for INPUTIMAGE"
echo "OPTOINAL: -n is for NAMESPACE"
echo "OPTOINAL: -s is for CLIENTID"
echo "OPTOINAL: -p is for SKIP_CLUSTER_CREATION" echo "OPTOINAL: -p is for SKIP_CLUSTER_CREATION"
exit ;; exit ;;
esac esac
@ -103,19 +92,10 @@ if [ -z "$AD_APP_NAME" ] || [ -z "$CLUSTER_NAME" ] || [ -z "$CLUSTER_RG" ] || [
exit exit
fi fi
# If there is no flag set for SKIP_CLUSTER_CREATION, then create a random iteration.
if [ -z "$SKIP_CLUSTER_CREATION" ]; then
ITERATION=$RANDOM
else
ITERATION=''
fi
APP_HOSTNAME="$AD_APP_NAME.$LOCATION.cloudapp.azure.com" APP_HOSTNAME="$AD_APP_NAME.$LOCATION.cloudapp.azure.com"
HOMEPAGE=https://$APP_HOSTNAME HOMEPAGE=https://$APP_HOSTNAME
IDENTIFIER_URIS=$HOMEPAGE IDENTIFIER_URIS=$HOMEPAGE
REPLY_URLS=https://$APP_HOSTNAME/msal/signin-oidc REPLY_URLS=https://$APP_HOSTNAME/msal/signin-oidc
COOKIE_SECRET=$(python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("utf-8"))')
INGRESS_IP=0
echo "The value of -a is $AD_APP_NAME - AD_APP_NAME" echo "The value of -a is $AD_APP_NAME - AD_APP_NAME"
echo "The value of -c is $CLUSTER_NAME - CLUSTER_NAME" echo "The value of -c is $CLUSTER_NAME - CLUSTER_NAME"
@ -124,10 +104,7 @@ echo "The value of -e is $EMAIL - EMAIL"
echo "The value of -d is $EMAIL_DOMAIN - EMAIL_DOMAIN" echo "The value of -d is $EMAIL_DOMAIN - EMAIL_DOMAIN"
echo "The value of -l is $LOCATION - LOCATION" echo "The value of -l is $LOCATION - LOCATION"
echo "The value of -i is $INPUTIMAGE - INPUTIMAGE" echo "The value of -i is $INPUTIMAGE - INPUTIMAGE"
echo "The value of -n is $NAMESPACE - NAMESPACE"
echo "The value of -s is $CLIENTID - CLIENTID"
echo "The value of -p is $SKIP_CLUSTER_CREATION - SKIP_CLUSTER_CREATION" echo "The value of -p is $SKIP_CLUSTER_CREATION - SKIP_CLUSTER_CREATION"
echo "COOKIE_SECRET: " $COOKIE_SECRET
echo "COMPLETE @ $(date +"%T"): Setting variables" echo "COMPLETE @ $(date +"%T"): Setting variables"