aks-baseline-automation/.github/workflows/IaC-bicep-AKS.yml

name: 'IaC Deploy CARML based AKS Cluster'

on:
  workflow_dispatch:
    inputs:
      ENVIRONMENT:
        description: 'A GitHub Environment to pull action secrets from'
        required: true
        type: environment
      REGION:
        description: 'The Azure region to deploy to'
        required: true
        default: westus2
      clusterAdminAadGroupObjectId:
        description: 'K8S Admin Azure AAD Group ObjectID'
        required: true
        type: string
      a0008NamespaceReaderAadGroupObjectId:
        description: 'K8S Reader Azure AAD Group ObjectID'
        required: true
        type: string

env:
  event_sha: +refs/pull/${{ github.event.issue.number }}/merge

permissions:
      id-token: write
      contents: read

jobs:
  prereqs:
    runs-on: ubuntu-latest
    environment: ${{ github.event.inputs.ENVIRONMENT }}
    name: Prerequisite Checks
    steps:
      - name: "Checkout"
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: "Parameter Check"
        run: |
          echo "Environment : ${{ github.event.inputs.ENVIRONMENT }}"
          echo "REGION : ${{ github.event.inputs.REGION }}"

      - name: Azure Login
        uses: Azure/login@v1.4.3
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: "Check Preview Features"
        shell: pwsh
        run: |
          write-output "Verifying required Resource Providers Features are registered"
          $aksfeatures = az feature list --query "[?contains(name, 'Microsoft.ContainerService')]" | ConvertFrom-Json

          $featureName='AKS-ExtensionManager'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

          $featureName='EnableOIDCIssuerPreview'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

          $featureName='AKS-AzureDefender'
          write-output "-- $featureName"
          $feature = $aksfeatures |  Where-Object {$_.name -like "*$featureName"}
          $feature.properties.state
          if ($feature.properties.state -ne 'Registered') {
            Write-Output $feature
            Write-Error "$featureName NOT registered"
          }

  deployment:
    runs-on: ubuntu-latest
    environment: ${{ github.event.inputs.ENVIRONMENT }}
    name: Deployment
    needs: [prereqs]
    steps:
      - name: "Checkout"
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      # This step is just used for convenience as you won't be using self-signed certificate in your production environment.
      # The certificate used in your environment will likely be generated and imported into KeyVault by your security team 
      - name: "Cert Generation"
        id: cert
        run: |
          export DOMAIN_NAME_AKS_BASELINE="contoso.com"
          export CN="bicycle"
          openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out appgw.crt -keyout appgw.key -subj "/CN=${CN}.${DOMAIN_NAME_AKS_BASELINE}/O=Contoso Bicycle" -addext "subjectAltName = DNS:${CN}.${DOMAIN_NAME_AKS_BASELINE}" -addext "keyUsage = digitalSignature" -addext "extendedKeyUsage = serverAuth"
          openssl pkcs12 -export -out appgw.pfx -in appgw.crt -inkey appgw.key -passout pass:
          export APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE=$(cat appgw.pfx | base64 | tr -d '\n')
          echo "APP_GATEWAY_LISTENER_CERTIFICATE=$APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE" >> $GITHUB_ENV
          openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out traefik-ingress-internal-aks-ingress-tls.crt -keyout traefik-ingress-internal-aks-ingress-tls.key -subj "/CN=*.aks-ingress.${DOMAIN_NAME_AKS_BASELINE}/O=Contoso AKS Ingress"
          export AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE=$(cat traefik-ingress-internal-aks-ingress-tls.crt | base64 | tr -d '\n')
          echo "AKS_INGRESS_CONTROLLER_CERTIFICATE=$AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE" >> $GITHUB_ENV

      - name: Azure Login
        uses: Azure/login@v1.4.3
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      - name: "Deploy AKS Landingzone"
        id: akslz
        uses: azure/arm-deploy@v1
        with:
          subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
          region: ${{ github.event.inputs.REGION }}
          scope: subscription
          template: ./IaC/bicep/main.bicep
          parameters: ./IaC/bicep/main.parameters.json clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }} appGatewayListenerCertificate=${{ env.APP_GATEWAY_LISTENER_CERTIFICATE }} aksIngressControllerCertificate=${{ env.AKS_INGRESS_CONTROLLER_CERTIFICATE }}
          failOnStdErr: false
          deploymentName: carml-aks-landingzone-${{ github.event.inputs.REGION }}

      # Import core images hosted in public container registries to be used during bootstrapping
      - name: "Import Images into ACR for flux"
        id: image_import
        run: |
          az acr import --source docker.io/weaveworks/kured:1.10.1 -n ${{ steps.akslz.outputs.containerRegistryName }} --force
          az acr import --source docker.io/library/traefik:v2.8.1 -n ${{ steps.akslz.outputs.containerRegistryName }} --force

        # Temporary workaround until we figure out why steps.cluster.outputs.keyVaultName is blank
      - name: "Get KeyVault Name"
        id: akv_name
        run: |
          export AKV_NAME=$(az keyvault list -g rg-bu0001a0008 -o table | grep "kv-aks" | awk '{print $2}')
          echo "AKV_NAME=${AKV_NAME}" >> $GITHUB_ENV
          echo "AKV Name from bicep output is ${{ steps.akslz.outputs.keyVaultName }}"
          echo "aksIngressControllerPodManagedIdentityResourceId from bicep output is ${{ steps.akslz.outputs.aksIngressControllerPodManagedIdentityResourceId }}"
          echo "To prove that this should work: hubVnetId is ${{ steps.akslz.outputs.hubVnetId }}"

        # Re-authentication is required for the commands that follow
      - name: Azure Login
        uses: Azure/login@v1.4.3
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

      # This step is just used for convenience as the certificate used in your environment will likely be generated and imported into KeyVault by your security team 
      # This step imports into KeyVault the same backend cert that was generated above for the App Gateway. This cert will be used by the Ingress Controller Traefik.
      - name: "Cert Import into Key Vault for Traefik"
        id: cert_import
        run: |
          ASSIGNEE_OBJ_ID=$(az ad sp show --id ${{ secrets.AZURE_CLIENT_ID }} --query id -o tsv)
          AKV_RESOURCE_ID=$(az keyvault show -n ${{ env.AKV_NAME }} --query id -o tsv)
          TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT=$(az role assignment create --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee-principal-type serviceprincipal --assignee-object-id $ASSIGNEE_OBJ_ID --scope $AKV_RESOURCE_ID | jq '.id' )

          sleep 60

          CURRENT_IP_ADDRESS=$(curl -s -4 https://ifconfig.io)
          az keyvault network-rule add -n ${{ env.AKV_NAME }} --ip-address ${CURRENT_IP_ADDRESS}

          sleep 30

          cat traefik-ingress-internal-aks-ingress-tls.crt traefik-ingress-internal-aks-ingress-tls.key > traefik-ingress-internal-aks-ingress-tls.pem
          az keyvault certificate import -f traefik-ingress-internal-aks-ingress-tls.pem -n traefik-ingress-internal-aks-ingress-tls --vault-name ${{ env.AKV_NAME }}

          az keyvault network-rule remove -n ${{ env.AKV_NAME }} --ip-address ${CURRENT_IP_ADDRESS}
          az role assignment delete --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee $ASSIGNEE_OBJ_ID --scope $AKV_RESOURCE_ID
Testing Flask workflow 2022-09-14 03:07:44 +03:00			`name: 'IaC Deploy CARML based AKS Cluster'`
workflow name 2022-03-30 13:39:18 +03:00
final 2022-03-11 19:20:08 +03:00			`on:`
			`workflow_dispatch:`
Promoting AAD Group Object ID's to pipeline input 2022-03-23 13:35:50 +03:00			`inputs:`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`ENVIRONMENT:`
			`description: 'A GitHub Environment to pull action secrets from'`
Promoting AAD Group Object ID's to pipeline input 2022-03-23 13:35:50 +03:00			`required: true`
Adding Environment to AKS CARML workflow 2022-03-30 13:37:14 +03:00			`type: environment`
			`REGION:`
			`description: 'The Azure region to deploy to'`
Promoting AAD Group Object ID's to pipeline input 2022-03-23 13:35:50 +03:00			`required: true`
adding region naming to deploy 2022-06-23 11:04:16 +03:00			`default: westus2`
Update IaC-bicep-AKS.yml 2022-05-06 00:54:17 +03:00			`clusterAdminAadGroupObjectId:`
			`description: 'K8S Admin Azure AAD Group ObjectID'`
			`required: true`
Update key vault module to latest CARML version (#85) * update KeyVault module * update spoke 2022-09-29 21:46:12 +03:00			`type: string`
Update IaC-bicep-AKS.yml 2022-05-06 00:54:17 +03:00			`a0008NamespaceReaderAadGroupObjectId:`
			`description: 'K8S Reader Azure AAD Group ObjectID'`
			`required: true`
Update key vault module to latest CARML version (#85) * update KeyVault module * update spoke 2022-09-29 21:46:12 +03:00			`type: string`
adding region naming to deploy 2022-06-23 11:04:16 +03:00
final 2022-03-11 19:20:08 +03:00			`env:`
			`event_sha: +refs/pull/${{ github.event.issue.number }}/merge`

oidc flow login 2022-03-30 13:43:45 +03:00			`permissions:`
			`id-token: write`
			`contents: read`

final 2022-03-11 19:20:08 +03:00			`jobs:`
adding prereq stage 2022-03-23 14:15:58 +03:00			`prereqs:`
			`runs-on: ubuntu-latest`
env prefix 2022-03-30 13:49:26 +03:00			`environment: ${{ github.event.inputs.ENVIRONMENT }}`
Added Defender check 2022-03-23 14:21:31 +03:00			`name: Prerequisite Checks`
adding prereq stage 2022-03-23 14:15:58 +03:00			`steps:`
			`- name: "Checkout"`
			`uses: actions/checkout@v2`
			`with:`
			`fetch-depth: 0`

parameter check step 2022-03-30 13:51:34 +03:00			`- name: "Parameter Check"`
			`run: \|`
			`echo "Environment : ${{ github.event.inputs.ENVIRONMENT }}"`
			`echo "REGION : ${{ github.event.inputs.REGION }}"`

oidc flow login 2022-03-30 13:43:45 +03:00			`- name: Azure Login`
			`uses: Azure/login@v1.4.3`
adding prereq stage 2022-03-23 14:15:58 +03:00			`with:`
oidc flow login 2022-03-30 13:43:45 +03:00			`client-id: ${{ secrets.AZURE_CLIENT_ID }}`
			`tenant-id: ${{ secrets.AZURE_TENANT_ID }}`
			`subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}`
adding prereq stage 2022-03-23 14:15:58 +03:00
			`- name: "Check Preview Features"`
			`shell: pwsh`
			`run: \|`
Adding AKS-ExtensionManager 2022-03-28 17:27:54 +03:00			`write-output "Verifying required Resource Providers Features are registered"`
CARML modules updated (#112) * update to newsest CARML modules * test * add missing roles * fix prereq check 2023-01-07 21:51:27 +03:00			`$aksfeatures = az feature list --query "[?contains(name, 'Microsoft.ContainerService')]" \| ConvertFrom-Json`

			`$featureName='AKS-ExtensionManager'`
			`write-output "-- $featureName"`
			`$feature = $aksfeatures \| Where-Object {$_.name -like "*$featureName"}`
			`$feature.properties.state`
			`if ($feature.properties.state -ne 'Registered') {`
			`Write-Output $feature`
			`Write-Error "$featureName NOT registered"`
			`}`

Added Defender check 2022-03-23 14:21:31 +03:00			`$featureName='EnableOIDCIssuerPreview'`
			`write-output "-- $featureName"`
CARML modules updated (#112) * update to newsest CARML modules * test * add missing roles * fix prereq check 2023-01-07 21:51:27 +03:00			`$feature = $aksfeatures \| Where-Object {$_.name -like "*$featureName"}`
Added Defender check 2022-03-23 14:21:31 +03:00			`$feature.properties.state`
			`if ($feature.properties.state -ne 'Registered') {`
			`Write-Output $feature`
			`Write-Error "$featureName NOT registered"`
			`}`
CARML modules updated (#112) * update to newsest CARML modules * test * add missing roles * fix prereq check 2023-01-07 21:51:27 +03:00
Added Defender check 2022-03-23 14:21:31 +03:00			`$featureName='AKS-AzureDefender'`
			`write-output "-- $featureName"`
CARML modules updated (#112) * update to newsest CARML modules * test * add missing roles * fix prereq check 2023-01-07 21:51:27 +03:00			`$feature = $aksfeatures \| Where-Object {$_.name -like "*$featureName"}`
Added Defender check 2022-03-23 14:21:31 +03:00			`$feature.properties.state`
			`if ($feature.properties.state -ne 'Registered') {`
			`Write-Output $feature`
			`Write-Error "$featureName NOT registered"`
CARML modules updated (#112) * update to newsest CARML modules * test * add missing roles * fix prereq check 2023-01-07 21:51:27 +03:00			`}`
adding prereq stage 2022-03-23 14:15:58 +03:00
final 2022-03-11 19:20:08 +03:00			`deployment:`
			`runs-on: ubuntu-latest`
env prefix 2022-03-30 13:49:26 +03:00			`environment: ${{ github.event.inputs.ENVIRONMENT }}`
job name 2022-03-28 17:28:37 +03:00			`name: Deployment`
adding prereq stage 2022-03-23 14:15:58 +03:00			`needs: [prereqs]`
final 2022-03-11 19:20:08 +03:00			`steps:`
			`- name: "Checkout"`
			`uses: actions/checkout@v2`
			`with:`
			`fetch-depth: 0`
loading certs from file 2022-03-23 13:16:53 +03:00
Updated the workflow 2022-08-27 05:30:08 +03:00			`# This step is just used for convenience as you won't be using self-signed certificate in your production environment.`
			`# The certificate used in your environment will likely be generated and imported into KeyVault by your security team`
adding cert generation step in as a test. 2022-07-28 18:18:37 +03:00			`- name: "Cert Generation"`
testing cert 2022-07-29 14:52:42 +03:00			`id: cert`
adding cert generation step in as a test. 2022-07-28 18:18:37 +03:00			`run: \|`
Updated the workflow 2022-08-27 05:30:08 +03:00			`export DOMAIN_NAME_AKS_BASELINE="contoso.com"`
			`export CN="bicycle"`
try hack with rg query 2022-08-26 04:27:44 +03:00			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out appgw.crt -keyout appgw.key -subj "/CN=${CN}.${DOMAIN_NAME_AKS_BASELINE}/O=Contoso Bicycle" -addext "subjectAltName = DNS:${CN}.${DOMAIN_NAME_AKS_BASELINE}" -addext "keyUsage = digitalSignature" -addext "extendedKeyUsage = serverAuth"`
adding cert generation step in as a test. 2022-07-28 18:18:37 +03:00			`openssl pkcs12 -export -out appgw.pfx -in appgw.crt -inkey appgw.key -passout pass:`
			`export APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE=$(cat appgw.pfx \| base64 \| tr -d '\n')`
testing using env var file 2022-07-29 18:09:33 +03:00			`echo "APP_GATEWAY_LISTENER_CERTIFICATE=$APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE" >> $GITHUB_ENV`
Updating aks bicep yaml 2022-08-25 22:41:51 +03:00			`openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out traefik-ingress-internal-aks-ingress-tls.crt -keyout traefik-ingress-internal-aks-ingress-tls.key -subj "/CN=*.aks-ingress.${DOMAIN_NAME_AKS_BASELINE}/O=Contoso AKS Ingress"`
adding cert generation step in as a test. 2022-07-28 18:18:37 +03:00			`export AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE=$(cat traefik-ingress-internal-aks-ingress-tls.crt \| base64 \| tr -d '\n')`
testing using env var file 2022-07-29 18:09:33 +03:00			`echo "AKS_INGRESS_CONTROLLER_CERTIFICATE=$AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE" >> $GITHUB_ENV`
adding cert generation step in as a test. 2022-07-28 18:18:37 +03:00
oidc flow login 2022-03-30 13:43:45 +03:00			`- name: Azure Login`
			`uses: Azure/login@v1.4.3`
final 2022-03-11 19:20:08 +03:00			`with:`
oidc flow login 2022-03-30 13:43:45 +03:00			`client-id: ${{ secrets.AZURE_CLIENT_ID }}`
			`tenant-id: ${{ secrets.AZURE_TENANT_ID }}`
			`subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}`
loading certs from file 2022-03-23 13:16:53 +03:00
Add top level biceps file (#117) * add wrapper bicep file * update pipeline * fix nsg typo * update dependency * update dependency * default kube version * update resourcegroup name * update pipeline * update kv script * moving hardcoded values into parameter file * remove certificates from param file * adding parameter file into pipeline * remove default values --------- Co-authored-by: Ayobami Ayodeji <ayobaami@hotmail.com> Co-authored-by: Rainer Halanek <rahalan@microsoft.com> Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com> 2023-04-18 10:04:31 +03:00			`- name: "Deploy AKS Landingzone"`
			`id: akslz`
uncommented 2022-08-25 17:17:11 +03:00			`uses: azure/arm-deploy@v1`
			`with:`
			`subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}`
			`region: ${{ github.event.inputs.REGION }}`
			`scope: subscription`
Add top level biceps file (#117) * add wrapper bicep file * update pipeline * fix nsg typo * update dependency * update dependency * default kube version * update resourcegroup name * update pipeline * update kv script * moving hardcoded values into parameter file * remove certificates from param file * adding parameter file into pipeline * remove default values --------- Co-authored-by: Ayobami Ayodeji <ayobaami@hotmail.com> Co-authored-by: Rainer Halanek <rahalan@microsoft.com> Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com> 2023-04-18 10:04:31 +03:00			`template: ./IaC/bicep/main.bicep`
			`parameters: ./IaC/bicep/main.parameters.json clusterAdminAadGroupObjectId=${{ github.event.inputs.clusterAdminAadGroupObjectId }} a0008NamespaceReaderAadGroupObjectId=${{ github.event.inputs.a0008NamespaceReaderAadGroupObjectId }} appGatewayListenerCertificate=${{ env.APP_GATEWAY_LISTENER_CERTIFICATE }} aksIngressControllerCertificate=${{ env.AKS_INGRESS_CONTROLLER_CERTIFICATE }}`
uncommented 2022-08-25 17:17:11 +03:00			`failOnStdErr: false`
Add top level biceps file (#117) * add wrapper bicep file * update pipeline * fix nsg typo * update dependency * update dependency * default kube version * update resourcegroup name * update pipeline * update kv script * moving hardcoded values into parameter file * remove certificates from param file * adding parameter file into pipeline * remove default values --------- Co-authored-by: Ayobami Ayodeji <ayobaami@hotmail.com> Co-authored-by: Rainer Halanek <rahalan@microsoft.com> Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com> 2023-04-18 10:04:31 +03:00			`deploymentName: carml-aks-landingzone-${{ github.event.inputs.REGION }}`
commented out lines 2022-08-25 12:20:25 +03:00
Updated the bicep workflow 2022-08-28 00:17:50 +03:00			`# Import core images hosted in public container registries to be used during bootstrapping`
fixed bicep workflow 2022-08-28 03:29:07 +03:00			`- name: "Import Images into ACR for flux"`
			`id: image_import`
			`run: \|`
Add top level biceps file (#117) * add wrapper bicep file * update pipeline * fix nsg typo * update dependency * update dependency * default kube version * update resourcegroup name * update pipeline * update kv script * moving hardcoded values into parameter file * remove certificates from param file * adding parameter file into pipeline * remove default values --------- Co-authored-by: Ayobami Ayodeji <ayobaami@hotmail.com> Co-authored-by: Rainer Halanek <rahalan@microsoft.com> Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com> 2023-04-18 10:04:31 +03:00			`az acr import --source docker.io/weaveworks/kured:1.10.1 -n ${{ steps.akslz.outputs.containerRegistryName }} --force`
			`az acr import --source docker.io/library/traefik:v2.8.1 -n ${{ steps.akslz.outputs.containerRegistryName }} --force`
move run after cluster deploy 2022-08-25 23:05:03 +03:00
temlateized traefik 2022-08-27 00:20:12 +03:00			`# Temporary workaround until we figure out why steps.cluster.outputs.keyVaultName is blank`
Enhancements to the bicep workflow 2022-08-27 22:54:11 +03:00			`- name: "Get KeyVault Name"`
update after revert 2022-08-25 23:01:38 +03:00			`id: akv_name`
			`run: \|`
Add top level biceps file (#117) * add wrapper bicep file * update pipeline * fix nsg typo * update dependency * update dependency * default kube version * update resourcegroup name * update pipeline * update kv script * moving hardcoded values into parameter file * remove certificates from param file * adding parameter file into pipeline * remove default values --------- Co-authored-by: Ayobami Ayodeji <ayobaami@hotmail.com> Co-authored-by: Rainer Halanek <rahalan@microsoft.com> Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com> 2023-04-18 10:04:31 +03:00			`export AKV_NAME=$(az keyvault list -g rg-bu0001a0008 -o table \| grep "kv-aks" \| awk '{print $2}')`
clean up test runs 2022-08-26 05:26:01 +03:00			`echo "AKV_NAME=${AKV_NAME}" >> $GITHUB_ENV`
Add top level biceps file (#117) * add wrapper bicep file * update pipeline * fix nsg typo * update dependency * update dependency * default kube version * update resourcegroup name * update pipeline * update kv script * moving hardcoded values into parameter file * remove certificates from param file * adding parameter file into pipeline * remove default values --------- Co-authored-by: Ayobami Ayodeji <ayobaami@hotmail.com> Co-authored-by: Rainer Halanek <rahalan@microsoft.com> Co-authored-by: Rainer Halanek <61878316+rahalan@users.noreply.github.com> 2023-04-18 10:04:31 +03:00			`echo "AKV Name from bicep output is ${{ steps.akslz.outputs.keyVaultName }}"`
			`echo "aksIngressControllerPodManagedIdentityResourceId from bicep output is ${{ steps.akslz.outputs.aksIngressControllerPodManagedIdentityResourceId }}"`
			`echo "To prove that this should work: hubVnetId is ${{ steps.akslz.outputs.hubVnetId }}"`
test local files 2022-08-25 22:31:15 +03:00
fixed bicep workflow 2022-08-28 03:29:07 +03:00			`# Re-authentication is required for the commands that follow`
			`- name: Azure Login`
			`uses: Azure/login@v1.4.3`
			`with:`
			`client-id: ${{ secrets.AZURE_CLIENT_ID }}`
			`tenant-id: ${{ secrets.AZURE_TENANT_ID }}`
			`subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}`
clean up test runs 2022-08-26 05:26:01 +03:00
Updated the workflow 2022-08-27 05:30:08 +03:00			`# This step is just used for convenience as the certificate used in your environment will likely be generated and imported into KeyVault by your security team`
Updated the bicep workflow 2022-08-28 00:17:50 +03:00			`# This step imports into KeyVault the same backend cert that was generated above for the App Gateway. This cert will be used by the Ingress Controller Traefik.`
Updated the workflow 2022-08-27 05:30:08 +03:00			`- name: "Cert Import into Key Vault for Traefik"`
change order temp 2022-08-25 12:13:57 +03:00			`id: cert_import`
			`run: \|`
			`ASSIGNEE_OBJ_ID=$(az ad sp show --id ${{ secrets.AZURE_CLIENT_ID }} --query id -o tsv)`
try hack with rg query 2022-08-26 04:24:53 +03:00			`AKV_RESOURCE_ID=$(az keyvault show -n ${{ env.AKV_NAME }} --query id -o tsv)`
change order temp 2022-08-25 12:13:57 +03:00			`TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT=$(az role assignment create --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee-principal-type serviceprincipal --assignee-object-id $ASSIGNEE_OBJ_ID --scope $AKV_RESOURCE_ID \| jq '.id' )`

			`sleep 60`

			`CURRENT_IP_ADDRESS=$(curl -s -4 https://ifconfig.io)`
try hack with rg query 2022-08-26 02:54:08 +03:00			`az keyvault network-rule add -n ${{ env.AKV_NAME }} --ip-address ${CURRENT_IP_ADDRESS}`
change order temp 2022-08-25 12:13:57 +03:00
			`sleep 30`

			`cat traefik-ingress-internal-aks-ingress-tls.crt traefik-ingress-internal-aks-ingress-tls.key > traefik-ingress-internal-aks-ingress-tls.pem`
try hack with rg query 2022-08-26 02:54:08 +03:00			`az keyvault certificate import -f traefik-ingress-internal-aks-ingress-tls.pem -n traefik-ingress-internal-aks-ingress-tls --vault-name ${{ env.AKV_NAME }}`
keyvaultname support 2022-08-25 00:51:02 +03:00
Updated the workflow 2022-08-27 05:30:08 +03:00			`az keyvault network-rule remove -n ${{ env.AKV_NAME }} --ip-address ${CURRENT_IP_ADDRESS}`
fixed bicep workflow 2022-08-28 04:20:33 +03:00			`az role assignment delete --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee $ASSIGNEE_OBJ_ID --scope $AKV_RESOURCE_ID`

Updated the workflow 2022-08-27 05:30:08 +03:00