From 4d23aad2fdc0facc3d643c6029b36f24be5a5872 Mon Sep 17 00:00:00 2001 From: Danielkon96 Date: Mon, 7 Jun 2021 22:49:31 +0000 Subject: [PATCH 1/3] Automation script runs. Receiving 500 and 503 errors when trying to access website. --- AutomationScripts/2-ingressCreation.sh | 10 +++-- AutomationScripts/4-deployMSALProxy.sh | 41 ++++++++++++++----- AutomationScripts/5-installCertManager.sh | 19 ++++++--- .../6-deployNewIngressResource.sh | 24 +++++++---- K8s-Config/aad-secret.yaml | 10 +++++ K8s-Config/azure-files-storage-class.yaml | 2 +- K8s-Config/azure-pvc-roles.yaml | 3 +- K8s-Config/cluster-issuer-prod.yaml | 16 ++++++++ .../data-protection-persistent-claim.yaml | 3 +- K8s-Config/hello-world-ingress.yaml | 39 +++++++++--------- K8s-Config/msal-net-proxy.yaml | 23 +++-------- main.sh | 2 +- manifest.json | 11 +++++ 13 files changed, 131 insertions(+), 72 deletions(-) create mode 100644 K8s-Config/aad-secret.yaml create mode 100644 K8s-Config/cluster-issuer-prod.yaml create mode 100644 manifest.json diff --git a/AutomationScripts/2-ingressCreation.sh b/AutomationScripts/2-ingressCreation.sh index c49b830..5ea1799 100644 --- a/AutomationScripts/2-ingressCreation.sh +++ b/AutomationScripts/2-ingressCreation.sh @@ -2,14 +2,16 @@ echo "BEGIN @ $(date +"%T"): Installing the ingress controller..." kubectl create ns ingress-controllers -helm install nginx-ingress stable/nginx-ingress --namespace ingress-controllers --set rbac.create=true +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx +helm repo update +helm install nginx-ingress ingress-nginx/ingress-nginx --namespace ingress-controllers --set rbac.create=true -INGRESS_IP=$(kubectl get services/nginx-ingress-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}") +INGRESS_IP=$(kubectl get services/nginx-ingress-ingress-nginx-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}") while [ "$INGRESS_IP" = "" ] do echo "UPDATE @ $(date +"%T"): Checking for INGRESS_IP from Azure..." - INGRESS_IP=$(kubectl get services/nginx-ingress-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + INGRESS_IP=$(kubectl get services/nginx-ingress-ingress-nginx-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}") echo "UPDATE @ $(date +"%T"): Sleeping for 5 seconds..." sleep 5 done @@ -19,7 +21,7 @@ echo "BEGIN @ $(date +"%T"): Configure DNS for the cluster public IP..." NODE_RG=$(az aks show -n $CLUSTER_NAME -g $CLUSTER_RG -o json | jq -r '.nodeResourceGroup') echo "UPDATE @ $(date +"%T"): " $NODE_RG -INGRESS_IP=$(kubectl get services/nginx-ingress-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}") +INGRESS_IP=$(kubectl get services/nginx-ingress-ingress-nginx-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}") echo "UPDATE @ $(date +"%T"): " $INGRESS_IP IP_NAME=$(az network public-ip list -g $NODE_RG -o json | jq -c ".[] | select(.ipAddress | contains(\"$INGRESS_IP\"))" | jq '.name' -r) diff --git a/AutomationScripts/4-deployMSALProxy.sh b/AutomationScripts/4-deployMSALProxy.sh index e4ca79c..c9473d5 100644 --- a/AutomationScripts/4-deployMSALProxy.sh +++ b/AutomationScripts/4-deployMSALProxy.sh @@ -1,7 +1,9 @@ #!/bin/sh -x +# Every file has one dot instead of two because we are calling main.sh, so we access the "current" directory which is where main.sh is located. + echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..." -cat << EOF > ../msal-proxy/templates/azure-files-storage-class.yaml +cat << EOF > ./K8s-Config/azure-files-storage-class.yaml kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: @@ -19,11 +21,11 @@ parameters: skuName: Standard_LRS EOF -cat msal-proxy/templates/azure-files-storage-class.yaml +cat ./K8s-Config/azure-files-storage-class.yaml # kubectl apply -f azure-files-storage-class.yaml -cat << EOF > ../msal-proxy/templates/data-protection-persistent-claim.yaml +cat << EOF > ./K8s-Config/data-protection-persistent-claim.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -37,11 +39,28 @@ spec: storage: 5Gi EOF -cat msal-proxy/templates/data-protection-persistent-claim.yaml +cat ./K8s-Config/data-protection-persistent-claim.yaml # kubectl apply -f data-protection-persistent-claim.yaml -cat << EOF > ../azure-pvc-roles.yaml +cat << EOF > ./K8s-Config/aad-secret.yaml +apiVersion: v1 +kind: Secret +metadata: + name: aad-secret + namespace: default +type: Opaque +stringData: + AZURE_TENANT_ID: $AZURE_TENANT_ID + CLIENT_ID: $CLIENT_ID + CLIENT_SECRET: $CLIENT_SECRET +EOF + +cat ./K8s-Config/aad-secret.yaml + +kubectl apply -f ./K8s-Config/aad-secret.yaml + +cat << EOF > ./K8s-Config/azure-pvc-roles.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -65,11 +84,11 @@ subjects: namespace: kube-system EOF -cat azure-pvc-roles.yaml +cat ./K8s-Config/azure-pvc-roles.yaml -kubectl apply -f azure-pvc-roles.yaml +kubectl apply -f ./K8s-Config/azure-pvc-roles.yaml -cat << EOF > ../msal-proxy/templates/msal-net-proxy.yaml +cat << EOF > ./K8s-Config/msal-net-proxy.yaml apiVersion: extensions/v1beta1 kind: Deployment metadata: @@ -143,13 +162,15 @@ spec: selector: k8s-app: msal-net-proxy EOF -cat msal-proxy/templates/msal-net-proxy.yaml +cat ./K8s-Config/msal-net-proxy.yaml # kubectl apply -f msal-net-proxy.yaml echo "BEGIN @ $(date +"%T"): Calling Helm..." echo "" -helm install msal-proxy msal-proxy + +helm install msal-proxy ./charts/msal-proxy + echo "" echo "COMPLETE @ $(date +"%T"): Calling Helm" diff --git a/AutomationScripts/5-installCertManager.sh b/AutomationScripts/5-installCertManager.sh index 95bf91b..81e89d8 100644 --- a/AutomationScripts/5-installCertManager.sh +++ b/AutomationScripts/5-installCertManager.sh @@ -5,17 +5,26 @@ TLS_SECRET_NAME=ingress-tls-prod kubectl create namespace cert-manager -kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml --validate=false +# kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml --validate=false helm repo add jetstack https://charts.jetstack.io helm repo update -helm install cert-manager --namespace cert-manager --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer jetstack/cert-manager --version v0.11.0 +# helm install cert-manager --namespace cert-manager --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer jetstack/cert-manager --version v0.11.0 + +helm install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.3.1 \ + --set installCRDs=true \ + --set ingressShim.defaultIssuerName=letsencrypt-prod \ + --set ingressShim.defaultIssuerKind=ClusterIssuer kubectl get pods -n cert-manager -cat << EOF > ../cluster-issuer-prod.yaml +cat << EOF > ./K8s-Config/cluster-issuer-prod.yaml apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer metadata: @@ -34,7 +43,7 @@ spec: class: nginx EOF -cat cluster-issuer-prod.yaml +cat ./K8s-Config/cluster-issuer-prod.yaml INPUT_STRING=no while [ "$INPUT_STRING" != "yes" ] @@ -46,6 +55,6 @@ do read INPUT_STRING done -kubectl apply -f cluster-issuer-prod.yaml +kubectl apply -f ./K8s-Config/cluster-issuer-prod.yaml echo "COMPLETE @ $(date +"%T"): Install Cert Manager" \ No newline at end of file diff --git a/AutomationScripts/6-deployNewIngressResource.sh b/AutomationScripts/6-deployNewIngressResource.sh index 4920541..07cd879 100644 --- a/AutomationScripts/6-deployNewIngressResource.sh +++ b/AutomationScripts/6-deployNewIngressResource.sh @@ -1,8 +1,8 @@ #!/bin/sh -x echo "BEGIN @ $(date +"%T"): Deploy the Ingress Resources..." -cat << EOF > ../hello-world-ingress.yaml -apiVersion: extensions/v1beta1 +cat << EOF > ./K8s-Config/hello-world-ingress.yaml +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hello-world-ingress @@ -24,11 +24,14 @@ spec: http: paths: - backend: - serviceName: kuard-pod - servicePort: 8080 + service: + name: kuard-pod + port: + number: 8080 path: /(.*) + pathType: Prefix --- -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: msal-net-proxy @@ -38,17 +41,20 @@ spec: http: paths: - backend: - serviceName: msal-net-proxy - servicePort: 80 + service: + name: msal-net-proxy + port: + number: 80 path: /msal + pathType: Prefix tls: - hosts: - $APP_HOSTNAME secretName: $TLS_SECRET_NAME EOF -cat hello-world-ingress.yaml +cat ./K8s-Config/hello-world-ingress.yaml -kubectl apply -f hello-world-ingress.yaml +kubectl apply -f ./K8s-Config/hello-world-ingress.yaml echo "COMPLETE @ $(date +"%T"): Deploy the Ingress Resources" \ No newline at end of file diff --git a/K8s-Config/aad-secret.yaml b/K8s-Config/aad-secret.yaml new file mode 100644 index 0000000..831c6b0 --- /dev/null +++ b/K8s-Config/aad-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: aad-secret + namespace: default +type: Opaque +stringData: + AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47 + CLIENT_ID: cc37d3ad-32ce-4786-9c69-bb0025d788d3 + CLIENT_SECRET: ON9.HC1I9PYS9cGr-G13CDqm1VkTbPGSUu diff --git a/K8s-Config/azure-files-storage-class.yaml b/K8s-Config/azure-files-storage-class.yaml index f445f97..98d2079 100644 --- a/K8s-Config/azure-files-storage-class.yaml +++ b/K8s-Config/azure-files-storage-class.yaml @@ -12,4 +12,4 @@ mountOptions: - nobrl - cache=none parameters: - skuName: Standard_LRS \ No newline at end of file + skuName: Standard_LRS diff --git a/K8s-Config/azure-pvc-roles.yaml b/K8s-Config/azure-pvc-roles.yaml index ebee2fa..9c941a6 100644 --- a/K8s-Config/azure-pvc-roles.yaml +++ b/K8s-Config/azure-pvc-roles.yaml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -19,4 +18,4 @@ roleRef: subjects: - kind: ServiceAccount name: persistent-volume-binder - namespace: kube-system \ No newline at end of file + namespace: kube-system diff --git a/K8s-Config/cluster-issuer-prod.yaml b/K8s-Config/cluster-issuer-prod.yaml new file mode 100644 index 0000000..4b0d0c8 --- /dev/null +++ b/K8s-Config/cluster-issuer-prod.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod + namespace: cert-manager +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: dakondra@microsoft.com + privateKeySecretRef: + name: letsencrypt-prod + # Add a single challenge solver, HTTP01 using nginx + solvers: + - http01: + ingress: + class: nginx diff --git a/K8s-Config/data-protection-persistent-claim.yaml b/K8s-Config/data-protection-persistent-claim.yaml index 1913db3..cd81620 100644 --- a/K8s-Config/data-protection-persistent-claim.yaml +++ b/K8s-Config/data-protection-persistent-claim.yaml @@ -2,11 +2,10 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: msal-net-proxy-az-file-pv-claim - namespace: ingress-basic spec: accessModes: - ReadWriteMany storageClassName: azurefile resources: requests: - storage: 5Gi \ No newline at end of file + storage: 5Gi diff --git a/K8s-Config/hello-world-ingress.yaml b/K8s-Config/hello-world-ingress.yaml index 6d96e23..06f29e1 100644 --- a/K8s-Config/hello-world-ingress.yaml +++ b/K8s-Config/hello-world-ingress.yaml @@ -1,50 +1,49 @@ -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: hello-world-ingress - namespace: ingress-basic annotations: nginx.ingress.kubernetes.io/auth-url: "https://$host/msal/auth" nginx.ingress.kubernetes.io/auth-signin: "https://$host/msal/index?rd=$escaped_request_uri" nginx.ingress.kubernetes.io/auth-response-headers: "x-injected-aio,x-injected-name,x-injected-nameidentifier,x-injected-objectidentifier,x-injected-preferred_username,x-injected-tenantid,x-injected-uti" kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" certmanager.k8s.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/rewrite-target: /$1 spec: tls: - hosts: - - t20.mikerichter.us - secretName: tls-secret + - aadautofix.eastus.cloudapp.azure.com + secretName: ingress-tls-prod rules: - - host: t20.mikerichter.us + - host: aadautofix.eastus.cloudapp.azure.com http: paths: - backend: - serviceName: kuard-pod - servicePort: 8080 + service: + name: kuard-pod + port: + number: 8080 path: /(.*) - - backend: - serviceName: ingress-demo - servicePort: 80 - path: /hello-world-two(/|$)(.*) - + pathType: Prefix --- - -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: msal-net-proxy - namespace: ingress-basic spec: rules: - - host: t20.mikerichter.us + - host: aadautofix.eastus.cloudapp.azure.com http: paths: - backend: - serviceName: msal-net-proxy - servicePort: 80 + service: + name: msal-net-proxy + port: + number: 80 path: /msal + pathType: Prefix tls: - hosts: - - t20.mikerichter.us - secretName: tls-secret \ No newline at end of file + - aadautofix.eastus.cloudapp.azure.com + secretName: ingress-tls-prod diff --git a/K8s-Config/msal-net-proxy.yaml b/K8s-Config/msal-net-proxy.yaml index a8b6d21..6c0324e 100644 --- a/K8s-Config/msal-net-proxy.yaml +++ b/K8s-Config/msal-net-proxy.yaml @@ -4,7 +4,6 @@ metadata: labels: k8s-app: msal-net-proxy name: msal-net-proxy - namespace: ingress-basic spec: replicas: 2 selector: @@ -16,7 +15,7 @@ spec: k8s-app: msal-net-proxy spec: containers: - - image: richtercloud/msal-net-proxy-opt:latest + - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: Always name: msal-net-proxy env: @@ -29,24 +28,15 @@ spec: - name: AzureAd__Domain value: microsoft.onmicrosoft.com - name: AzureAd__TenantId - valueFrom: - secretKeyRef: - name: azure-ad-secrets - key: AzureAd__TenantId + value: 72f988bf-86f1-41af-91ab-2d7cd011db47 - name: AzureAd__ClientId - valueFrom: - secretKeyRef: - name: azure-ad-secrets - key: AzureAd__ClientId + value: cc37d3ad-32ce-4786-9c69-bb0025d788d3 - name: AzureAd__CallbackPath value: /msal/signin-oidc - name: AzureAd__SignedOutCallbackPath value: /msal/signout-callback-oidc - name: AzureAd__ClientSecret - valueFrom: - secretKeyRef: - name: azure-ad-secrets - key: AzureAd__ClientSecret + value: ON9.HC1I9PYS9cGr-G13CDqm1VkTbPGSUu - name: Logging__LogLevel__Default value: Debug - name: AllowedHosts @@ -65,16 +55,13 @@ spec: - name: dpvol persistentVolumeClaim: claimName: msal-net-proxy-az-file-pv-claim - --- - apiVersion: v1 kind: Service metadata: labels: k8s-app: msal-net-proxy name: msal-net-proxy - namespace: ingress-basic spec: ports: - name: http @@ -82,4 +69,4 @@ spec: protocol: TCP targetPort: 80 selector: - k8s-app: msal-net-proxy \ No newline at end of file + k8s-app: msal-net-proxy diff --git a/main.sh b/main.sh index 3f57d35..43ba7c5 100644 --- a/main.sh +++ b/main.sh @@ -155,7 +155,7 @@ echo "COMPLETE @ $(date +"%T"): Getting cluster creds" # Add Helm -helm repo add stable https://kubernetes-charts.storage.googleapis.com +helm repo add stable https://charts.helm.sh/stable echo "****BEGIN @ $(date +"%T"): Call Ingress Controller Creation script****" diff --git a/manifest.json b/manifest.json new file mode 100644 index 0000000..f2bdb59 --- /dev/null +++ b/manifest.json @@ -0,0 +1,11 @@ +[ + { + "resourceAccess" : [ + { + "id" : "e1fe6dd8-ba31-4d61-89e7-88639da4683d", + "type" : "Scope" + } + ], + "resourceAppId" : "00000003-0000-0000-c000-000000000000" + } +] From 113ae1eaca32b2b92b698f4631ca3bf79a3c7d6f Mon Sep 17 00:00:00 2001 From: Danielkon96 Date: Thu, 10 Jun 2021 19:16:39 +0000 Subject: [PATCH 2/3] added additional fixes --- AutomationScripts/4-deployMSALProxy.sh | 165 +----------------- AutomationScripts/5-installCertManager.sh | 25 +-- .../6-deployNewIngressResource.sh | 18 +- K8s-Config/aad-secret.yaml | 4 +- K8s-Config/hello-world-ingress.yaml | 8 +- K8s-Config/kuard-ingress.yaml | 49 ++++++ K8s-Config/msal-net-proxy.yaml | 4 +- main.sh | 26 ++- 8 files changed, 99 insertions(+), 200 deletions(-) create mode 100644 K8s-Config/kuard-ingress.yaml diff --git a/AutomationScripts/4-deployMSALProxy.sh b/AutomationScripts/4-deployMSALProxy.sh index c9473d5..823ed35 100644 --- a/AutomationScripts/4-deployMSALProxy.sh +++ b/AutomationScripts/4-deployMSALProxy.sh @@ -3,166 +3,17 @@ # Every file has one dot instead of two because we are calling main.sh, so we access the "current" directory which is where main.sh is located. echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..." -cat << EOF > ./K8s-Config/azure-files-storage-class.yaml -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: azurefile -provisioner: kubernetes.io/azure-file -mountOptions: - - dir_mode=0777 - - file_mode=0777 - - uid=1000 - - gid=1000 - - mfsymlinks - - nobrl - - cache=none -parameters: - skuName: Standard_LRS -EOF -cat ./K8s-Config/azure-files-storage-class.yaml - -# kubectl apply -f azure-files-storage-class.yaml - -cat << EOF > ./K8s-Config/data-protection-persistent-claim.yaml -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: msal-net-proxy-az-file-pv-claim -spec: - accessModes: - - ReadWriteMany - storageClassName: azurefile - resources: - requests: - storage: 5Gi -EOF - -cat ./K8s-Config/data-protection-persistent-claim.yaml - -# kubectl apply -f data-protection-persistent-claim.yaml - -cat << EOF > ./K8s-Config/aad-secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: aad-secret - namespace: default -type: Opaque -stringData: - AZURE_TENANT_ID: $AZURE_TENANT_ID - CLIENT_ID: $CLIENT_ID - CLIENT_SECRET: $CLIENT_SECRET -EOF - -cat ./K8s-Config/aad-secret.yaml - -kubectl apply -f ./K8s-Config/aad-secret.yaml - -cat << EOF > ./K8s-Config/azure-pvc-roles.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: system:azure-cloud-provider -rules: -- apiGroups: [''] - resources: ['secrets'] - verbs: ['get','create'] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:azure-cloud-provider -roleRef: - kind: ClusterRole - apiGroup: rbac.authorization.k8s.io - name: system:azure-cloud-provider -subjects: -- kind: ServiceAccount - name: persistent-volume-binder - namespace: kube-system -EOF - -cat ./K8s-Config/azure-pvc-roles.yaml +echo "BEGIN @ $(date +"%T"): Deploying secret..." +echo "" -kubectl apply -f ./K8s-Config/azure-pvc-roles.yaml +kubectl create secret generic aad-secret \ + --from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \ + --from-literal=CLIENT_ID=$CLIENT_ID \ + --from-literal=CLIENT_SECRET=$CLIENT_SECRET -cat << EOF > ./K8s-Config/msal-net-proxy.yaml -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - labels: - k8s-app: msal-net-proxy - name: msal-net-proxy -spec: - replicas: 2 - selector: - matchLabels: - k8s-app: msal-net-proxy - template: - metadata: - labels: - k8s-app: msal-net-proxy - spec: - containers: - - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: Always - name: msal-net-proxy - env: - - name: DataProtectionFileLocation - value: /mnt/dp - - name: ForceHttps - value: "true" - - name: AzureAd__Instance - value: https://login.microsoftonline.com/ - - name: AzureAd__Domain - value: microsoft.onmicrosoft.com - - name: AzureAd__TenantId - value: $AZURE_TENANT_ID - - name: AzureAd__ClientId - value: $CLIENT_ID - - name: AzureAd__CallbackPath - value: /msal/signin-oidc - - name: AzureAd__SignedOutCallbackPath - value: /msal/signout-callback-oidc - - name: AzureAd__ClientSecret - value: $CLIENT_SECRET - - name: Logging__LogLevel__Default - value: Debug - - name: AllowedHosts - value: "*" - - name: RedirectParam - value: rd - - name: ShowLogin - value: "false" - ports: - - containerPort: 80 - protocol: TCP - volumeMounts: - - mountPath: "/mnt/dp" - name: dpvol - volumes: - - name: dpvol - persistentVolumeClaim: - claimName: msal-net-proxy-az-file-pv-claim ---- -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: msal-net-proxy - name: msal-net-proxy -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - selector: - k8s-app: msal-net-proxy -EOF -cat ./K8s-Config/msal-net-proxy.yaml +echo "" +echo "COMPLETE @ $(date +"%T"): Deploying secret" # kubectl apply -f msal-net-proxy.yaml diff --git a/AutomationScripts/5-installCertManager.sh b/AutomationScripts/5-installCertManager.sh index 81e89d8..7f571a6 100644 --- a/AutomationScripts/5-installCertManager.sh +++ b/AutomationScripts/5-installCertManager.sh @@ -1,7 +1,7 @@ #!/bin/sh -x echo "BEGIN @ $(date +"%T"): Install Cert Manager..." -TLS_SECRET_NAME=ingress-tls-prod +TLS_SECRET_NAME=$APP_HOSTNAME-tls kubectl create namespace cert-manager @@ -16,7 +16,6 @@ helm repo update helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ - --create-namespace \ --version v1.3.1 \ --set installCRDs=true \ --set ingressShim.defaultIssuerName=letsencrypt-prod \ @@ -24,6 +23,18 @@ helm install \ kubectl get pods -n cert-manager +echo "Make sure the cert-manager pods have started BEFORE proceeding." + +INPUT_STRING=no +while [ "$INPUT_STRING" != "yes" ] +do + echo "" + kubectl get pods -n cert-manager + echo "" + echo "Did the cert-manager pods start OK? Type 'yes' or press enter to try again..." + read INPUT_STRING +done + cat << EOF > ./K8s-Config/cluster-issuer-prod.yaml apiVersion: cert-manager.io/v1alpha2 kind: ClusterIssuer @@ -45,16 +56,6 @@ EOF cat ./K8s-Config/cluster-issuer-prod.yaml -INPUT_STRING=no -while [ "$INPUT_STRING" != "yes" ] -do - echo "" - kubectl get pods -n cert-manager - echo "" - echo "Did the cert-manager pods start OK? Type 'yes' or press enter to try again..." - read INPUT_STRING -done - kubectl apply -f ./K8s-Config/cluster-issuer-prod.yaml echo "COMPLETE @ $(date +"%T"): Install Cert Manager" \ No newline at end of file diff --git a/AutomationScripts/6-deployNewIngressResource.sh b/AutomationScripts/6-deployNewIngressResource.sh index 07cd879..202619b 100644 --- a/AutomationScripts/6-deployNewIngressResource.sh +++ b/AutomationScripts/6-deployNewIngressResource.sh @@ -1,20 +1,20 @@ #!/bin/sh -x echo "BEGIN @ $(date +"%T"): Deploy the Ingress Resources..." -cat << EOF > ./K8s-Config/hello-world-ingress.yaml +cat << EOF > ./K8s-Config/kuard-ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: hello-world-ingress + name: kuard annotations: nginx.ingress.kubernetes.io/auth-url: "https://\$host/msal/auth" nginx.ingress.kubernetes.io/auth-signin: "https://\$host/msal/index?rd=\$escaped_request_uri" nginx.ingress.kubernetes.io/auth-response-headers: "x-injected-aio,x-injected-name,x-injected-nameidentifier,x-injected-objectidentifier,x-injected-preferred_username,x-injected-tenantid,x-injected-uti" - kubernetes.io/ingress.class: nginx kubernetes.io/tls-acme: "true" certmanager.k8s.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/rewrite-target: /\$1 spec: + ingressClassName: nginx tls: - hosts: - $APP_HOSTNAME @@ -29,12 +29,12 @@ spec: port: number: 8080 path: /(.*) - pathType: Prefix + pathType: ImplementationSpecific --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: msal-net-proxy + name: msal-proxy spec: rules: - host: $APP_HOSTNAME @@ -42,19 +42,19 @@ spec: paths: - backend: service: - name: msal-net-proxy + name: msal-proxy port: number: 80 path: /msal - pathType: Prefix + pathType: ImplementationSpecific tls: - hosts: - $APP_HOSTNAME secretName: $TLS_SECRET_NAME EOF -cat ./K8s-Config/hello-world-ingress.yaml +cat ./K8s-Config/kuard-ingress.yaml -kubectl apply -f ./K8s-Config/hello-world-ingress.yaml +kubectl apply -f ./K8s-Config/kuard-ingress.yaml echo "COMPLETE @ $(date +"%T"): Deploy the Ingress Resources" \ No newline at end of file diff --git a/K8s-Config/aad-secret.yaml b/K8s-Config/aad-secret.yaml index 831c6b0..8be9d39 100644 --- a/K8s-Config/aad-secret.yaml +++ b/K8s-Config/aad-secret.yaml @@ -6,5 +6,5 @@ metadata: type: Opaque stringData: AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47 - CLIENT_ID: cc37d3ad-32ce-4786-9c69-bb0025d788d3 - CLIENT_SECRET: ON9.HC1I9PYS9cGr-G13CDqm1VkTbPGSUu + CLIENT_ID: ae837949-bc92-4573-aafb-95c657a7392c + CLIENT_SECRET: gZC5Ns1LDb_KimcB_3a9-SImyUNWbPrNOn diff --git a/K8s-Config/hello-world-ingress.yaml b/K8s-Config/hello-world-ingress.yaml index 06f29e1..c979a7f 100644 --- a/K8s-Config/hello-world-ingress.yaml +++ b/K8s-Config/hello-world-ingress.yaml @@ -13,10 +13,10 @@ metadata: spec: tls: - hosts: - - aadautofix.eastus.cloudapp.azure.com + - dakondra-msal-proxy.eastus.cloudapp.azure.com secretName: ingress-tls-prod rules: - - host: aadautofix.eastus.cloudapp.azure.com + - host: dakondra-msal-proxy.eastus.cloudapp.azure.com http: paths: - backend: @@ -33,7 +33,7 @@ metadata: name: msal-net-proxy spec: rules: - - host: aadautofix.eastus.cloudapp.azure.com + - host: dakondra-msal-proxy.eastus.cloudapp.azure.com http: paths: - backend: @@ -45,5 +45,5 @@ spec: pathType: Prefix tls: - hosts: - - aadautofix.eastus.cloudapp.azure.com + - dakondra-msal-proxy.eastus.cloudapp.azure.com secretName: ingress-tls-prod diff --git a/K8s-Config/kuard-ingress.yaml b/K8s-Config/kuard-ingress.yaml new file mode 100644 index 0000000..55e1cb1 --- /dev/null +++ b/K8s-Config/kuard-ingress.yaml @@ -0,0 +1,49 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuard + annotations: + nginx.ingress.kubernetes.io/auth-url: "https:///msal/auth" + nginx.ingress.kubernetes.io/auth-signin: "https:///msal/index?rd=" + nginx.ingress.kubernetes.io/auth-response-headers: "x-injected-aio,x-injected-name,x-injected-nameidentifier,x-injected-objectidentifier,x-injected-preferred_username,x-injected-tenantid,x-injected-uti" + kubernetes.io/tls-acme: "true" + certmanager.k8s.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + ingressClassName: nginx + tls: + - hosts: + - dakondra-msal-two.eastus.cloudapp.azure.com + secretName: dakondra-msal-two.eastus.cloudapp.azure.com-tls + rules: + - host: dakondra-msal-two.eastus.cloudapp.azure.com + http: + paths: + - backend: + service: + name: kuard-pod + port: + number: 8080 + path: /(.*) + pathType: ImplementationSpecific +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: msal-proxy +spec: + rules: + - host: dakondra-msal-two.eastus.cloudapp.azure.com + http: + paths: + - backend: + service: + name: msal-proxy + port: + number: 80 + path: /msal + pathType: ImplementationSpecific + tls: + - hosts: + - dakondra-msal-two.eastus.cloudapp.azure.com + secretName: dakondra-msal-two.eastus.cloudapp.azure.com-tls diff --git a/K8s-Config/msal-net-proxy.yaml b/K8s-Config/msal-net-proxy.yaml index 6c0324e..586a16d 100644 --- a/K8s-Config/msal-net-proxy.yaml +++ b/K8s-Config/msal-net-proxy.yaml @@ -30,13 +30,13 @@ spec: - name: AzureAd__TenantId value: 72f988bf-86f1-41af-91ab-2d7cd011db47 - name: AzureAd__ClientId - value: cc37d3ad-32ce-4786-9c69-bb0025d788d3 + value: ae837949-bc92-4573-aafb-95c657a7392c - name: AzureAd__CallbackPath value: /msal/signin-oidc - name: AzureAd__SignedOutCallbackPath value: /msal/signout-callback-oidc - name: AzureAd__ClientSecret - value: ON9.HC1I9PYS9cGr-G13CDqm1VkTbPGSUu + value: gZC5Ns1LDb_KimcB_3a9-SImyUNWbPrNOn - name: Logging__LogLevel__Default value: Debug - name: AllowedHosts diff --git a/main.sh b/main.sh index 43ba7c5..3ec9f87 100644 --- a/main.sh +++ b/main.sh @@ -162,18 +162,6 @@ echo "****BEGIN @ $(date +"%T"): Call Ingress Controller Creation script****" . ./AutomationScripts/2-ingressCreation.sh echo "****COMPLETE @ $(date +"%T"): Ingress controller created script****" -echo "BEGIN @ $(date +"%T"): Deploy sample app..." -# INPUTIMAGE=$7 -# If we have a parameter for an image install a custom image. If not, then we install kuard. -if [ -z "$INPUTIMAGE" ]; then - echo "No image input, installing kuard." - kubectl run kuard-pod --image=gcr.io/kuar-demo/kuard-amd64:1 --expose --port=8080 -else - echo "Your custom image $INPUTIMAGE installed" - kubectl run kuard-pod --image=$INPUTIMAGE --expose --port=8080 -fi -echo "COMPLETE @ $(date +"%T"): Deployed sample app" - echo "****BEGIN @ $(date +"%T"): Call ADD App Creation script****" . ./AutomationScripts/3-registerAADApp.sh echo "****COMPLETE @ $(date +"%T"): AAD App created script****" @@ -186,6 +174,18 @@ echo "****BEGIN @ $(date +"%T"): Call Install Cert Manager script****" . ./AutomationScripts/5-installCertManager.sh echo "****COMPLETE @ $(date +"%T"): Installed Cert Manager script****" +echo "BEGIN @ $(date +"%T"): Deploy sample app..." +# INPUTIMAGE=$7 +# If we have a parameter for an image install a custom image. If not, then we install kuard. +if [ -z "$INPUTIMAGE" ]; then + echo "No image input, installing kuard." + kubectl run kuard-pod --image=gcr.io/kuar-demo/kuard-amd64:1 --expose --port=8080 +else + echo "Your custom image $INPUTIMAGE installed" + kubectl run custom-pod --image=$INPUTIMAGE --expose --port=8080 +fi +echo "COMPLETE @ $(date +"%T"): Deployed sample app" + echo "****BEGIN @ $(date +"%T"): Call Deploy New Ingress Resource script****" . ./AutomationScripts/6-deployNewIngressResource.sh echo "****COMPLETE @ $(date +"%T"): Deployed New Ingress Resource script****" @@ -203,8 +203,6 @@ do read INPUT_STRING done echo "COMPLETE @ $(date +"%T"): Verify Production Certificate works" -echo "" -echo "" echo "END OF SCRIPT" echo "" echo "" From 12c3dd56f15a72adc8c143fa83388184f1d6932e Mon Sep 17 00:00:00 2001 From: Daniel Kondrashevich <31390640+danielkon96@users.noreply.github.com> Date: Thu, 10 Jun 2021 12:57:35 -0700 Subject: [PATCH 3/3] Added instructions for automated scripts. --- docs/setup-instructions.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/setup-instructions.md b/docs/setup-instructions.md index 37277b8..57eebba 100644 --- a/docs/setup-instructions.md +++ b/docs/setup-instructions.md @@ -288,6 +288,18 @@ It should look something like this: kubectl delete secret ingress-tls-prod kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml kubectl delete ns cert-manager + +## Automated Scripts [Azure Cloud Shell] (optional) + +- Go to the root folder +- Run bash command +``` +# Run -h for all required and optional flags +bash main.sh -h + +# Example Command +bash main.sh -a msal-test -c cluster-test -r easy-auth -e email@microsoft.com -d microsoft.com -l eastus +``` # References