136 строки
5.3 KiB
PowerShell
136 строки
5.3 KiB
PowerShell
# Copyright (c) Microsoft Corporation. All rights reserved.
|
|
# Licensed under the MIT License.
|
|
|
|
# IMPORTANT: Do not invoke this file directly. Please instead run eng/common/TestResources/New-TestResources.ps1 from the repository root.
|
|
|
|
param (
|
|
[hashtable] $AdditionalParameters = @{},
|
|
[hashtable] $DeploymentOutputs,
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[string] $SubscriptionId,
|
|
|
|
[Parameter(ParameterSetName = 'Provisioner', Mandatory = $true)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[string] $TenantId,
|
|
|
|
[Parameter()]
|
|
[ValidatePattern('^[0-9a-f]{8}(-[0-9a-f]{4}){3}-[0-9a-f]{12}$')]
|
|
[string] $TestApplicationId,
|
|
|
|
[Parameter(Mandatory = $true)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[string] $Environment,
|
|
|
|
# Captures any arguments from eng/New-TestResources.ps1 not declared here (no parameter errors).
|
|
[Parameter(ValueFromRemainingArguments = $true)]
|
|
$RemainingArguments
|
|
)
|
|
|
|
$ErrorActionPreference = 'Stop'
|
|
$PSNativeCommandUseErrorActionPreference = $true
|
|
|
|
if ($CI) {
|
|
if (!$AdditionalParameters['deployResources']) {
|
|
Write-Host "Skipping post-provisioning script because resources weren't deployed"
|
|
return
|
|
}
|
|
az cloud set -n $Environment
|
|
az login --federated-token $env:ARM_OIDC_TOKEN --service-principal -t $TenantId -u $TestApplicationId
|
|
az account set --subscription $SubscriptionId
|
|
}
|
|
|
|
Write-Host "Building container"
|
|
$image = "$($DeploymentOutputs['AZIDENTITY_ACR_LOGIN_SERVER'])/azidentity-managed-id-test"
|
|
Set-Content -Path "$PSScriptRoot/Dockerfile" -Value @"
|
|
FROM mcr.microsoft.com/oss/go/microsoft/golang:latest AS builder
|
|
ENV GOARCH=amd64 GOWORK=off
|
|
COPY . /azidentity
|
|
WORKDIR /azidentity/testdata/managed-id-test
|
|
RUN go mod tidy
|
|
RUN go build -o /build/managed-id-test .
|
|
RUN GOOS=windows go build -o /build/managed-id-test.exe .
|
|
|
|
FROM mcr.microsoft.com/mirror/docker/library/alpine:3.16
|
|
RUN apk add gcompat
|
|
COPY --from=builder /build/* .
|
|
RUN chmod +x managed-id-test
|
|
CMD ["./managed-id-test"]
|
|
"@
|
|
# build from sdk/azidentity because we need that dir in the context (because the test app uses local azidentity)
|
|
docker build -t $image "$PSScriptRoot"
|
|
az acr login -n $DeploymentOutputs['AZIDENTITY_ACR_NAME']
|
|
docker push $image
|
|
|
|
$rg = $DeploymentOutputs['AZIDENTITY_RESOURCE_GROUP']
|
|
|
|
# ACI is easier to provision here than in the bicep file because the image isn't available before now
|
|
Write-Host "Deploying Azure Container Instance"
|
|
$aciName = "azidentity-test"
|
|
az container create -g $rg -n $aciName --image $image `
|
|
--acr-identity $($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY']) `
|
|
--assign-identity [system] $($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY']) `
|
|
--role "Storage Blob Data Reader" `
|
|
--scope $($DeploymentOutputs['AZIDENTITY_STORAGE_ID']) `
|
|
-e AZIDENTITY_STORAGE_NAME=$($DeploymentOutputs['AZIDENTITY_STORAGE_NAME']) `
|
|
AZIDENTITY_STORAGE_NAME_USER_ASSIGNED=$($DeploymentOutputs['AZIDENTITY_STORAGE_NAME_USER_ASSIGNED']) `
|
|
AZIDENTITY_USER_ASSIGNED_IDENTITY=$($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY']) `
|
|
AZIDENTITY_USER_ASSIGNED_IDENTITY_CLIENT_ID=$($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_CLIENT_ID']) `
|
|
AZIDENTITY_USER_ASSIGNED_IDENTITY_OBJECT_ID=$($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_OBJECT_ID']) `
|
|
FUNCTIONS_CUSTOMHANDLER_PORT=80
|
|
Write-Host "##vso[task.setvariable variable=AZIDENTITY_ACI_NAME;]$aciName"
|
|
|
|
# Azure Functions deployment: copy the Windows binary from the Docker image, deploy it in a zip
|
|
Write-Host "Deploying to Azure Functions"
|
|
$container = docker create $image
|
|
docker cp ${container}:managed-id-test.exe "$PSScriptRoot/testdata/managed-id-test/"
|
|
docker rm -v $container
|
|
Compress-Archive -Path "$PSScriptRoot/testdata/managed-id-test/*" -DestinationPath func.zip -Force
|
|
az functionapp deploy -g $rg -n $DeploymentOutputs['AZIDENTITY_FUNCTION_NAME'] --src-path func.zip --type zip
|
|
|
|
Write-Host "Creating federated identity"
|
|
$aksName = $DeploymentOutputs['AZIDENTITY_AKS_NAME']
|
|
$idName = $DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_NAME']
|
|
$issuer = az aks show -g $rg -n $aksName --query "oidcIssuerProfile.issuerUrl" -otsv
|
|
$podName = "azidentity-test"
|
|
$serviceAccountName = "workload-identity-sa"
|
|
az identity federated-credential create -g $rg --identity-name $idName --issuer $issuer --name $idName --subject system:serviceaccount:default:$serviceAccountName
|
|
Write-Host "Deploying to AKS"
|
|
az aks get-credentials -g $rg -n $aksName
|
|
az aks update --attach-acr $DeploymentOutputs['AZIDENTITY_ACR_NAME'] -g $rg -n $aksName
|
|
Set-Content -Path "$PSScriptRoot/k8s.yaml" -Value @"
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
annotations:
|
|
azure.workload.identity/client-id: $($DeploymentOutputs['AZIDENTITY_USER_ASSIGNED_IDENTITY_CLIENT_ID'])
|
|
name: $serviceAccountName
|
|
namespace: default
|
|
---
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: $podName
|
|
namespace: default
|
|
labels:
|
|
app: $podName
|
|
azure.workload.identity/use: "true"
|
|
spec:
|
|
serviceAccountName: $serviceAccountName
|
|
containers:
|
|
- name: $podName
|
|
image: $image
|
|
env:
|
|
- name: AZIDENTITY_STORAGE_NAME
|
|
value: $($DeploymentOutputs['AZIDENTITY_STORAGE_NAME_USER_ASSIGNED'])
|
|
- name: AZIDENTITY_USE_WORKLOAD_IDENTITY
|
|
value: "true"
|
|
- name: FUNCTIONS_CUSTOMHANDLER_PORT
|
|
value: "80"
|
|
nodeSelector:
|
|
kubernetes.io/os: linux
|
|
"@
|
|
kubectl apply -f "$PSScriptRoot/k8s.yaml"
|
|
Write-Host "##vso[task.setvariable variable=AZIDENTITY_POD_NAME;]$podName"
|