Add run as deployment using identity/keyvault sample (#316)

* Add run as deployment using identity/keyvault sample
This commit is contained in:
Huangli Wu 2019-12-11 20:29:07 -08:00 коммит произвёл Bin Du
Родитель 5a53fa17dc
Коммит 8b0dca295b
4 изменённых файлов: 232 добавлений и 1 удалений

Просмотреть файл

@ -7,7 +7,8 @@ title: Deploy with ARM templates
The following set of samples show how to use an ARM template to execute various Task workflows.
1. [Deploy a docker build on an existing registry](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuild-on-existing-registry)
1. [Deploy a docker build on an existing registry using identity and keyvault](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuildusingidentitykeyvault)
1. [Create a Registry and perform a docker build from a GitHub repository](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuild)
1. [Create a Registry and perform a docker build from a GitHub repository with a Managed Identity](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickdockerbuild)
1. [Create a registry and schedule a quick task with task definition as an argument](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/quickrun)
1. [Create a registry and schedule a predefined task](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/taskrun)
1. [Create a registry and schedule a predefined task](https://github.com/Azure/acr/tree/master/docs/tasks/run-as-deployment/taskrun)

Просмотреть файл

@ -0,0 +1,83 @@
# Quick Docker build using identity and keyvault
## Create a resource group
```bash
az group create \
-n mytaskrunrg \
-l westus
```
## Create a Registry
```bash
az acr create \
-n myreg -g mytaskrunrg --sku Standard
```
## Create a Custom Registry and enable the admin user
```bash
az acr create \
-n mycustomreg -g mytaskrunrg --sku Standard --admin-enabled true
```
## Create a User Identity
```bash
az identity create \
-g mytaskrunrg \
-n myquickdockerbuildrunwithidentity
```
## Create KeyVault
```bash
az keyvault create --name mykeyvault --resource-group mytaskrunrg --location eastus2
```
## Save registry username/password in the keyvault
```bash
#Get password of admin user
password=$(az acr credential show --name mycustomreg --query passwords[0].value --output tsv)
az keyvault secret set --name username --value mycustomreg --vault-name mykeyvault
az keyvault secret set --name password --value $password --vault-name mykeyvault
```
## Grant identity access to key vault (object-id is the Object ID of managed identity)
```bash
#Get principal id of the identity
principalId=$(az identity show --resource-group mytaskrunrg --name myquickdockerbuildrunwithidentity --query principalId --output tsv)
az keyvault set-policy --name mykeyvault --resource-group mytaskrunrg --object-id $principalId --secret-permissions get
```
## Deploy a quick run
```bash
#Get the custom registry name
customregistryName=$(az acr show -n mycustomreg --query loginServer --output tsv)
#Get the KeyVault UserName Url
userNameUrl=$(az keyvault secret show --name username --vault-name mykeyvault --query id --output tsv)
#Get the KeyVault Password Url
passwordUrl=$(az keyvault secret show --name password --vault-name mykeyvault --query id --output tsv)
#Get the ID of ManagedIdentity
managedId=$(az identity show --resource-group mytaskrunrg --name myquickdockerbuildrunwithidentity --query id --output tsv)
az group deployment create --resource-group "mytaskrunrg" --template-file azuredeploy.json \
--parameters azuredeploy.parameters.json \
--parameters registryName="myreg" \
--parameters taskRunName="mytaskrun" \
--parameters customRegistryName=$customregistryName \
--parameters userNameUrl=$userNameUrl \
--parameters userPasswordUrl=$passwordUrl \
--parameters repository="hello-world" \
--parameters managedIdResourceId=$managedIdResourceId \
--parameters sourceLocation="https://github.com/Azure-Samples/acr-build-helloworld-node.git"
```

Просмотреть файл

@ -0,0 +1,135 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
},
"registryName": {
"type": "string",
"metadata": {
"description": "Name of your Azure Container Registry"
}
},
"taskRunName": {
"type": "string",
"minLength": 5,
"maxLength": 50,
"metadata": {
"description": "Name of your Task Run"
}
},
"userNameUrl": {
"type": "string",
"metadata": {
"description": "The keyvault Url to the UserName"
}
},
"userPasswordUrl": {
"type": "string",
"metadata": {
"description": "The keyvault Url to the Password"
}
},
"customRegistryName": {
"type": "string",
"metadata": {
"description": "The full name of the Custom Registry"
}
},
"repository": {
"type": "string",
"metadata": {
"description": "Repository name for the the build output"
}
},
"sourceLocation": {
"type": "string",
"metadata": {
"description": "The location of the source to build the image"
}
},
"dockerFilePath": {
"type": "string",
"metadata": {
"description": "The relative path of the dockerfile in the source location"
},
"defaultValue": "Dockerfile"
},
"managedIdResourceId": {
"type": "string",
"metadata": {
"description": "The Full Path Of ManagedIdentity"
}
}
},
"variables": {
"imageName": "[concat(parameters('repository'), ':', parameters('taskRunName'))]",
"idApiVersion": "[first(providers('Microsoft.ManagedIdentity', 'userAssignedIdentities').apiVersions)]"
},
"resources": [
{
"type": "Microsoft.ContainerRegistry/registries/taskRuns/",
"name": "[concat(parameters('registryName'), '/', parameters('taskRunName'))]",
"location": "[parameters('location')]",
"apiVersion": "2019-06-01-preview",
"identity": {
"principalId": null,
"tenantId": null,
"type": "UserAssigned",
"userAssignedIdentities": {
"[parameters('managedIdResourceId')]": {}
}
},
"properties": {
"runRequest": {
"type": "DockerBuildRequest",
"imageNames": [
"[variables('imageName')]"
],
"sourceLocation": "[parameters('sourceLocation')]",
"dockerFilePath": "[parameters('dockerFilePath')]",
"values": [],
"isPushEnabled": true,
"platform": {
"os": "linux",
"architecture": "amd64"
},
"credentials": {
"apiVersion": "2018-09-01",
"customRegistries": {
"[parameters('customRegistryName')]": {
"userName": {
"type": "Vaultsecret",
"value": "[parameters('userNameUrl')]"
},
"passsword": {
"type": "Vaultsecret",
"value": "[parameters('userPasswordUrl')]"
},
"identity": "[reference(parameters('managedIdResourceId'), variables('idApiVersion'), 'Full').properties.clientId]"
}
},
"sourceRegistry": {
"loginMode": "Default"
}
}
}
}
}
],
"outputs": {
"registry": {
"type": "string",
"value": "[parameters('registryName')]"
},
"repository": {
"type": "string",
"value": "[parameters('taskRunName')]"
}
}
}

Просмотреть файл

@ -0,0 +1,12 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"registryName": {
"value": "mytaskrunregistry"
},
"taskRunName": {
"value": "myquickdockerbuildrun"
}
}
}