Merge branch 'dev' into shlok-official/43-automation-script
This commit is contained in:
Danielkon96
Коммит
c73b53001f
|
|
@ -30,9 +30,20 @@ jobs:
|
|||
- name: Test
|
||||
run: dotnet test OCP.Msal.Proxy.Tests/OCP.Msal.Proxy.Tests.csproj --no-build --verbosity normal
|
||||
|
||||
check_for_depreciated_APIs:
|
||||
name: Check Depreciated K8s APIs
|
||||
runs-on: macos-latest
|
||||
needs: build
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- run: brew install FairwindsOps/tap/pluto
|
||||
- run: helm template ./charts/msal-proxy | pluto detect -
|
||||
#- run: pluto detect-files -d ./charts/msal-proxy
|
||||
|
||||
push_to_registries:
|
||||
|
||||
needs: build
|
||||
needs: check_for_depreciated_APIs
|
||||
name: Push Docker image to multiple registries
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
# This is a basic workflow to help you get started with Actions
|
||||
|
||||
name: Check deprecated APIs
|
||||
|
||||
on:
|
||||
push:
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
mac:
|
||||
runs-on: macos-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- run: brew install FairwindsOps/tap/pluto
|
||||
- run: helm template ./charts/msal-proxy | pluto detect -
|
||||
|
||||
#pluto detect-files -d ./
|
||||
|
|
@ -4,23 +4,12 @@
|
|||
|
||||
echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
|
||||
|
||||
echo "BEGIN @ $(date +"%T"): Deploying secret..."
|
||||
echo ""
|
||||
|
||||
kubectl create secret generic aad-secret \
|
||||
--from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
|
||||
--from-literal=CLIENT_ID=$CLIENT_ID \
|
||||
--from-literal=CLIENT_SECRET=$CLIENT_SECRET
|
||||
|
||||
echo ""
|
||||
echo "COMPLETE @ $(date +"%T"): Deploying secret"
|
||||
|
||||
# kubectl apply -f msal-net-proxy.yaml
|
||||
|
||||
echo "BEGIN @ $(date +"%T"): Calling Helm..."
|
||||
echo ""
|
||||
|
||||
helm install msal-proxy ./charts/msal-proxy
|
||||
helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
|
||||
|
||||
echo ""
|
||||
echo "COMPLETE @ $(date +"%T"): Calling Helm"
|
||||
|
|
|
|||
|
|
@ -1,15 +0,0 @@
|
|||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
name: azurefile
|
||||
provisioner: kubernetes.io/azure-file
|
||||
mountOptions:
|
||||
- dir_mode=0777
|
||||
- file_mode=0777
|
||||
- uid=1000
|
||||
- gid=1000
|
||||
- mfsymlinks
|
||||
- nobrl
|
||||
- cache=none
|
||||
parameters:
|
||||
skuName: Standard_LRS
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: system:azure-cloud-provider
|
||||
rules:
|
||||
- apiGroups: ['']
|
||||
resources: ['secrets']
|
||||
verbs: ['get','create']
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: system:azure-cloud-provider
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
name: system:azure-cloud-provider
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: persistent-volume-binder
|
||||
namespace: kube-system
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: msal-net-proxy-az-file-pv-claim
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
storageClassName: azurefile
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
|
|
@ -34,6 +34,11 @@ metadata:
|
|||
annotations:
|
||||
kubernetes.io/ingress.class: nginx
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
nginx.ingress.kubernetes.io/proxy-buffering: "on"
|
||||
nginx.ingress.kubernetes.io/proxy-buffers: "4"
|
||||
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
|
||||
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
|
||||
nginx.ingress.kubernetes.io/proxy-max-temp-file-size: "1024m"
|
||||
spec:
|
||||
rules:
|
||||
- host: {{APP_HOSTNAME}}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .Values.secret.name}}
|
||||
namespace: default
|
||||
type: Opaque
|
||||
data:
|
||||
{{ .Values.env.AzureAdTenantIdKeyRefKey}}: {{ .Values.secret.azureadtenantid | b64enc }}
|
||||
{{ .Values.env.AzureAdClientIdKeyRefKey}}: {{ .Values.secret.azureadclientid | b64enc }}
|
||||
{{ .Values.env.AzureAdClientSecretKeyRefKey}}: {{ .Values.secret.azureclientsecret | b64enc }}
|
||||
|
|
@ -66,6 +66,12 @@ resources: {}
|
|||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
secret:
|
||||
name: aad-secret
|
||||
azureadtenantid: tenantid
|
||||
azureadclientid: clientid
|
||||
azureclientsecret: clientsecret
|
||||
|
||||
autoscaling:
|
||||
enabled: false
|
||||
minReplicas: 1
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@ echo $INGRESS_HOST
|
|||
# This should be the same as the $APP_HOSTNAME
|
||||
```
|
||||
|
||||
## Register AAD Application
|
||||
## Register AAD Application (Skip if you are registering AAD B2C)
|
||||
|
||||
```
|
||||
# The default app created has permissions we don't need and can cause problem if you are in a more restricted tenant environment
|
||||
|
|
@ -144,17 +144,50 @@ AZURE_TENANT_ID=$(az account show -o json | jq '.tenantId' -r)
|
|||
echo $AZURE_TENANT_ID
|
||||
```
|
||||
|
||||
## Register AAD B2C Application (Skip if you have registered an AAD Application)
|
||||
|
||||
```
|
||||
# Create an Azure AD B2C tenant
|
||||
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant
|
||||
|
||||
# Get the name that will be used during registration
|
||||
echo $AD_APP_NAME
|
||||
|
||||
# Get the Redirect URI that will be used during registration
|
||||
echo $REPLY_URLS
|
||||
|
||||
# Register a web application in your AAD B2C tenant with the variables echoed above
|
||||
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga
|
||||
|
||||
# Enable ID Tokens
|
||||
# Go to the 'Authentication' tab, under 'Implicit grant and hybrid flows' check 'ID tokens (used for implicit and hybrid flows)'
|
||||
|
||||
# !!NOTE: Replace everything including the { }
|
||||
# When you have registered your application, go to the 'Overview' tab of your registered web application and set the current variables
|
||||
CLIENT_ID={Replace with copied 'Application (client) ID'}
|
||||
OBJECT_ID={Replace with 'Object ID'}
|
||||
AZURE_TENANT_ID={Replace with 'Directory (tenant) ID'}
|
||||
|
||||
# Create a client secret
|
||||
Microsoft Docs: https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#create-a-client-secret
|
||||
|
||||
# !!NOTE: Replace everything including the { }
|
||||
# Record the value into a variable
|
||||
CLIENT_SECRET={Replace with copied client secret value}
|
||||
|
||||
# Confirm all variables were set
|
||||
echo $CLIENT_ID
|
||||
echo $OBJECT_ID
|
||||
echo $AZURE_TENANT_ID
|
||||
echo $CLIENT_SECRET
|
||||
```
|
||||
|
||||
## Deploy MSAL Proxy
|
||||
|
||||
```
|
||||
kubectl create secret generic aad-secret \
|
||||
--from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
|
||||
--from-literal=CLIENT_ID=$CLIENT_ID \
|
||||
--from-literal=CLIENT_SECRET=$CLIENT_SECRET
|
||||
|
||||
|
||||
# Go to the root of the repo before running this command
|
||||
helm install msal-proxy ./charts/msal-proxy
|
||||
helm install --set secret.azureadtenantid=$AZURE_TENANT_ID --set secret.azureadclientid=$CLIENT_ID --set secret.azureclientsecret=$CLIENT_SECRET msal-proxy ./charts/msal-proxy
|
||||
|
||||
# Confirm everything was deployed.
|
||||
kubectl get svc,deploy,pod
|
||||
|
|
|
|||
29
main.sh
29
main.sh
|
|
@ -34,7 +34,6 @@ echo ""
|
|||
echo "BEGIN @ $(date +"%T"): Set variables..."
|
||||
|
||||
# Initialize Variables for flags
|
||||
ITERATION=''
|
||||
AD_APP_NAME=''
|
||||
CLUSTER_NAME=''
|
||||
CLUSTER_RG=''
|
||||
|
|
@ -42,8 +41,6 @@ EMAIL=''
|
|||
EMAIL_DOMAIN=''
|
||||
LOCATION=''
|
||||
INPUTIMAGE=''
|
||||
NAMESPACE=''
|
||||
CLIENTID='' # The only thing I really need is CLIENT ID. With the client ID, we can skip creating the AAD App.
|
||||
SKIP_CLUSTER_CREATION=''
|
||||
|
||||
while getopts "a:c:r:e:d:l:i:n:s:p:h" OPTION
|
||||
|
|
@ -51,13 +48,13 @@ do
|
|||
case $OPTION in
|
||||
a)
|
||||
# echo "The value of -a is ${OPTARG} - AD_APP_NAME"
|
||||
AD_APP_NAME=$OPTARG$ITERATION ;;
|
||||
AD_APP_NAME=$OPTARG ;;
|
||||
c)
|
||||
# echo "The value of -c is ${OPTARG} - CLUSTER_NAME"
|
||||
CLUSTER_NAME=$OPTARG$ITERATION ;;
|
||||
CLUSTER_NAME=$OPTARG ;;
|
||||
r)
|
||||
# echo "The value of -r is ${OPTARG} - CLUSTER_RG"
|
||||
CLUSTER_RG=$OPTARG$ITERATION ;;
|
||||
CLUSTER_RG=$OPTARG ;;
|
||||
e)
|
||||
# echo "The value of -e is ${OPTARG} - EMAIL"
|
||||
EMAIL=$OPTARG ;;
|
||||
|
|
@ -70,12 +67,6 @@ do
|
|||
i)
|
||||
# echo "The value of -i is ${OPTARG} - INPUTIMAGE"
|
||||
INPUTIMAGE=$OPTARG ;;
|
||||
n)
|
||||
# echo "The value of -n is ${OPTARG} - NAMESPACE"
|
||||
NAMESPACE=$OPTARG ;;
|
||||
s)
|
||||
# echo "The value of -s is ${OPTARG} - CLIENTID"
|
||||
CLIENTID=$OPTARG ;;
|
||||
p)
|
||||
# echo "The value of -p is ${OPTARG} - SKIP_CLUSTER_CREATION"
|
||||
SKIP_CLUSTER_CREATION=$OPTARG ;;
|
||||
|
|
@ -89,8 +80,6 @@ do
|
|||
echo "REQUIRED: -d is for EMAIL_DOMAIN"
|
||||
echo "REQUIRED: -l is for LOCATION"
|
||||
echo "OPTOINAL: -i is for INPUTIMAGE"
|
||||
echo "OPTOINAL: -n is for NAMESPACE"
|
||||
echo "OPTOINAL: -s is for CLIENTID"
|
||||
echo "OPTOINAL: -p is for SKIP_CLUSTER_CREATION"
|
||||
exit ;;
|
||||
esac
|
||||
|
|
@ -103,19 +92,10 @@ if [ -z "$AD_APP_NAME" ] || [ -z "$CLUSTER_NAME" ] || [ -z "$CLUSTER_RG" ] || [
|
|||
exit
|
||||
fi
|
||||
|
||||
# If there is no flag set for SKIP_CLUSTER_CREATION, then create a random iteration.
|
||||
if [ -z "$SKIP_CLUSTER_CREATION" ]; then
|
||||
ITERATION=$RANDOM
|
||||
else
|
||||
ITERATION=''
|
||||
fi
|
||||
|
||||
APP_HOSTNAME="$AD_APP_NAME.$LOCATION.cloudapp.azure.com"
|
||||
HOMEPAGE=https://$APP_HOSTNAME
|
||||
IDENTIFIER_URIS=$HOMEPAGE
|
||||
REPLY_URLS=https://$APP_HOSTNAME/msal/signin-oidc
|
||||
COOKIE_SECRET=$(python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("utf-8"))')
|
||||
INGRESS_IP=0
|
||||
|
||||
echo "The value of -a is $AD_APP_NAME - AD_APP_NAME"
|
||||
echo "The value of -c is $CLUSTER_NAME - CLUSTER_NAME"
|
||||
|
|
@ -124,10 +104,7 @@ echo "The value of -e is $EMAIL - EMAIL"
|
|||
echo "The value of -d is $EMAIL_DOMAIN - EMAIL_DOMAIN"
|
||||
echo "The value of -l is $LOCATION - LOCATION"
|
||||
echo "The value of -i is $INPUTIMAGE - INPUTIMAGE"
|
||||
echo "The value of -n is $NAMESPACE - NAMESPACE"
|
||||
echo "The value of -s is $CLIENTID - CLIENTID"
|
||||
echo "The value of -p is $SKIP_CLUSTER_CREATION - SKIP_CLUSTER_CREATION"
|
||||
echo "COOKIE_SECRET: " $COOKIE_SECRET
|
||||
echo "COMPLETE @ $(date +"%T"): Setting variables"
|
||||
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче