Dakondra/fix automation scripts

AutomationScripts/2-ingressCreation.sh

@@ -2,14 +2,16 @@
 
 echo "BEGIN @ $(date +"%T"): Installing the ingress controller..."
 kubectl create ns ingress-controllers
-helm install nginx-ingress stable/nginx-ingress --namespace ingress-controllers --set rbac.create=true
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm repo update
+helm install nginx-ingress ingress-nginx/ingress-nginx --namespace ingress-controllers --set rbac.create=true
 
-INGRESS_IP=$(kubectl get services/nginx-ingress-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+INGRESS_IP=$(kubectl get services/nginx-ingress-ingress-nginx-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
 
 while [ "$INGRESS_IP" = "" ]
 do
   echo "UPDATE @ $(date +"%T"): Checking for INGRESS_IP from Azure..."
-  INGRESS_IP=$(kubectl get services/nginx-ingress-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+  INGRESS_IP=$(kubectl get services/nginx-ingress-ingress-nginx-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
   echo "UPDATE @ $(date +"%T"): Sleeping for 5 seconds..."
   sleep 5
 done
@@ -19,7 +21,7 @@ echo "BEGIN @ $(date +"%T"): Configure DNS for the cluster public IP..."
 NODE_RG=$(az aks show -n $CLUSTER_NAME -g $CLUSTER_RG -o json | jq -r '.nodeResourceGroup')
 echo "UPDATE @ $(date +"%T"): " $NODE_RG
 
-INGRESS_IP=$(kubectl get services/nginx-ingress-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
+INGRESS_IP=$(kubectl get services/nginx-ingress-ingress-nginx-controller -n ingress-controllers -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
 echo "UPDATE @ $(date +"%T"): " $INGRESS_IP
 
 IP_NAME=$(az network public-ip list -g $NODE_RG -o json | jq -c ".[] | select(.ipAddress | contains(\"$INGRESS_IP\"))" | jq '.name' -r)

AutomationScripts/4-deployMSALProxy.sh

@@ -1,155 +1,27 @@
 #!/bin/sh -x
 
-echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
-cat << EOF > ../msal-proxy/templates/azure-files-storage-class.yaml
-kind: StorageClass
-apiVersion: storage.k8s.io/v1
-metadata:
-  name: azurefile
-provisioner: kubernetes.io/azure-file
-mountOptions:
-  - dir_mode=0777
-  - file_mode=0777
-  - uid=1000
-  - gid=1000
-  - mfsymlinks
-  - nobrl
-  - cache=none
-parameters:
-  skuName: Standard_LRS
-EOF
-
-cat msal-proxy/templates/azure-files-storage-class.yaml
-
-# kubectl apply -f azure-files-storage-class.yaml
-
-cat << EOF > ../msal-proxy/templates/data-protection-persistent-claim.yaml
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: msal-net-proxy-az-file-pv-claim
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: azurefile
-  resources:
-    requests:
-      storage: 5Gi
-EOF
-
-cat msal-proxy/templates/data-protection-persistent-claim.yaml
-
-# kubectl apply -f data-protection-persistent-claim.yaml
+# Every file has one dot instead of two because we are calling main.sh, so we access the "current" directory which is where main.sh is located.
 
-cat << EOF > ../azure-pvc-roles.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: system:azure-cloud-provider
-rules:
-- apiGroups: ['']
-  resources: ['secrets']
-  verbs:     ['get','create']
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:azure-cloud-provider
-roleRef:
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-  name: system:azure-cloud-provider
-subjects:
-- kind: ServiceAccount
-  name: persistent-volume-binder
-  namespace: kube-system
-EOF
+echo "BEGIN @ $(date +"%T"): Deploy MSAL Proxy..."
 
-cat azure-pvc-roles.yaml
+echo "BEGIN @ $(date +"%T"): Deploying secret..."
+echo ""
 
-kubectl apply -f azure-pvc-roles.yaml
+kubectl create secret generic aad-secret \
+  --from-literal=AZURE_TENANT_ID=$AZURE_TENANT_ID \
+  --from-literal=CLIENT_ID=$CLIENT_ID \
+  --from-literal=CLIENT_SECRET=$CLIENT_SECRET
 
-cat << EOF > ../msal-proxy/templates/msal-net-proxy.yaml
-apiVersion: extensions/v1beta1
-kind: Deployment
-metadata:
-  labels:
-    k8s-app: msal-net-proxy
-  name: msal-net-proxy
-spec:
-  replicas: 2
-  selector:
-    matchLabels:
-      k8s-app: msal-net-proxy
-  template:
-    metadata:
-      labels:
-        k8s-app: msal-net-proxy
-    spec:
-      containers:
-      -  image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
-         imagePullPolicy: Always
-         name: msal-net-proxy
-         env:
-         -  name: DataProtectionFileLocation
-            value: /mnt/dp
-         -  name: ForceHttps
-            value: "true"
-         -  name: AzureAd__Instance
-            value: https://login.microsoftonline.com/
-         -  name: AzureAd__Domain
-            value: microsoft.onmicrosoft.com
-         -  name: AzureAd__TenantId
-            value: $AZURE_TENANT_ID
-         -  name: AzureAd__ClientId
-            value: $CLIENT_ID
-         -  name: AzureAd__CallbackPath
-            value: /msal/signin-oidc
-         -  name: AzureAd__SignedOutCallbackPath
-            value: /msal/signout-callback-oidc
-         -  name: AzureAd__ClientSecret
-            value: $CLIENT_SECRET
-         -  name: Logging__LogLevel__Default
-            value: Debug
-         -  name: AllowedHosts
-            value: "*"
-         -  name: RedirectParam
-            value: rd
-         -  name: ShowLogin
-            value: "false"    
-         ports:
-         - containerPort: 80
-           protocol: TCP
-         volumeMounts:
-         - mountPath: "/mnt/dp"
-           name: dpvol
-      volumes:
-      - name: dpvol
-        persistentVolumeClaim:
-          claimName: msal-net-proxy-az-file-pv-claim
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    k8s-app: msal-net-proxy
-  name: msal-net-proxy
-spec:
-  ports:
-  - name: http
-    port: 80
-    protocol: TCP
-    targetPort: 80
-  selector:
-    k8s-app: msal-net-proxy
-EOF
-cat msal-proxy/templates/msal-net-proxy.yaml
+echo ""
+echo "COMPLETE @ $(date +"%T"): Deploying secret"
 
 # kubectl apply -f msal-net-proxy.yaml
 
 echo "BEGIN @ $(date +"%T"): Calling Helm..."
 echo ""
-helm install msal-proxy msal-proxy
+
+helm install msal-proxy ./charts/msal-proxy 
+
 echo ""
 echo "COMPLETE @ $(date +"%T"): Calling Helm"
 

AutomationScripts/5-installCertManager.sh

@@ -1,21 +1,41 @@
 #!/bin/sh -x
 
 echo "BEGIN @ $(date +"%T"): Install Cert Manager..."
-TLS_SECRET_NAME=ingress-tls-prod
+TLS_SECRET_NAME=$APP_HOSTNAME-tls
 
 kubectl create namespace cert-manager
 
-kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml --validate=false
+# kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.11/deploy/manifests/00-crds.yaml --validate=false
 
 helm repo add jetstack https://charts.jetstack.io
 
 helm repo update
 
-helm install cert-manager --namespace cert-manager --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer jetstack/cert-manager --version v0.11.0
+# helm install cert-manager --namespace cert-manager --set ingressShim.defaultIssuerName=letsencrypt-prod --set ingressShim.defaultIssuerKind=ClusterIssuer jetstack/cert-manager --version v0.11.0
+
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --version v1.3.1 \
+  --set installCRDs=true \
+  --set ingressShim.defaultIssuerName=letsencrypt-prod \
+  --set ingressShim.defaultIssuerKind=ClusterIssuer
 
 kubectl get pods -n cert-manager
 
-cat << EOF > ../cluster-issuer-prod.yaml
+echo "Make sure the cert-manager pods have started BEFORE proceeding."
+
+INPUT_STRING=no
+while [ "$INPUT_STRING" != "yes" ]
+do
+  echo ""
+  kubectl get pods -n cert-manager  
+  echo ""
+  echo "Did the cert-manager pods start OK? Type 'yes' or press enter to try again..."
+  read INPUT_STRING
+done
+
+cat << EOF > ./K8s-Config/cluster-issuer-prod.yaml
 apiVersion: cert-manager.io/v1alpha2
 kind: ClusterIssuer
 metadata:
@@ -34,18 +54,8 @@ spec:
           class: nginx
 EOF
 
-cat cluster-issuer-prod.yaml
-
-INPUT_STRING=no
-while [ "$INPUT_STRING" != "yes" ]
-do
-  echo ""
-  kubectl get pods -n cert-manager  
-  echo ""
-  echo "Did the cert-manager pods start OK? Type 'yes' or press enter to try again..."
-  read INPUT_STRING
-done
+cat ./K8s-Config/cluster-issuer-prod.yaml
 
-kubectl apply -f cluster-issuer-prod.yaml
+kubectl apply -f ./K8s-Config/cluster-issuer-prod.yaml
 
 echo "COMPLETE @ $(date +"%T"): Install Cert Manager"

AutomationScripts/6-deployNewIngressResource.sh

@@ -1,20 +1,20 @@
 #!/bin/sh -x
 
 echo "BEGIN @ $(date +"%T"): Deploy the Ingress Resources..."
-cat << EOF > ../hello-world-ingress.yaml
-apiVersion: extensions/v1beta1
+cat << EOF > ./K8s-Config/kuard-ingress.yaml
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: hello-world-ingress
+  name: kuard
   annotations:
     nginx.ingress.kubernetes.io/auth-url: "https://\$host/msal/auth"
     nginx.ingress.kubernetes.io/auth-signin: "https://\$host/msal/index?rd=\$escaped_request_uri"
     nginx.ingress.kubernetes.io/auth-response-headers: "x-injected-aio,x-injected-name,x-injected-nameidentifier,x-injected-objectidentifier,x-injected-preferred_username,x-injected-tenantid,x-injected-uti"
-    kubernetes.io/ingress.class: nginx
     kubernetes.io/tls-acme: "true"
     certmanager.k8s.io/cluster-issuer: letsencrypt-prod
     nginx.ingress.kubernetes.io/rewrite-target: /\$1
 spec:
+  ingressClassName: nginx
   tls:
   - hosts:
     - $APP_HOSTNAME
@@ -24,31 +24,37 @@ spec:
     http:
       paths:
       - backend:
-          serviceName: kuard-pod
-          servicePort: 8080
+          service:
+            name: kuard-pod
+            port:
+              number: 8080
         path: /(.*)
+        pathType: ImplementationSpecific
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: msal-net-proxy
+  name: msal-proxy
 spec:
   rules:
   - host: $APP_HOSTNAME
     http:
       paths:
       - backend:
-          serviceName: msal-net-proxy
-          servicePort: 80
+          service:
+            name: msal-proxy
+            port: 
+              number: 80
         path: /msal
+        pathType: ImplementationSpecific
   tls:
   - hosts:
     - $APP_HOSTNAME
     secretName: $TLS_SECRET_NAME
 EOF
 
-cat hello-world-ingress.yaml
+cat ./K8s-Config/kuard-ingress.yaml
 
-kubectl apply -f hello-world-ingress.yaml
+kubectl apply -f ./K8s-Config/kuard-ingress.yaml
 
 echo "COMPLETE @ $(date +"%T"): Deploy the Ingress Resources"

K8s-Config/aad-secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aad-secret
+  namespace: default
+type: Opaque
+stringData:
+    AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
+    CLIENT_ID: ae837949-bc92-4573-aafb-95c657a7392c
+    CLIENT_SECRET: gZC5Ns1LDb_KimcB_3a9-SImyUNWbPrNOn

K8s-Config/azure-files-storage-class.yaml

@@ -12,4 +12,4 @@ mountOptions:
   - nobrl
   - cache=none
 parameters:
-  skuName: Standard_LRS
+  skuName: Standard_LRS

K8s-Config/azure-pvc-roles.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -19,4 +18,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: persistent-volume-binder
-  namespace: kube-system
+  namespace: kube-system

K8s-Config/cluster-issuer-prod.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: cert-manager
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: dakondra@microsoft.com
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

K8s-Config/data-protection-persistent-claim.yaml

@@ -2,11 +2,10 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: msal-net-proxy-az-file-pv-claim
-  namespace: ingress-basic
 spec:
   accessModes:
     - ReadWriteMany
   storageClassName: azurefile
   resources:
     requests:
-      storage: 5Gi
+      storage: 5Gi