-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
94 additions
and
43 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,54 +11,38 @@ permissions: | |
|
||
jobs: | ||
deploy-bicep: | ||
runs-on: ubuntu-latest | ||
name: Deploy Bicep | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- uses: azure/login@v1 | ||
name: Login to Azure | ||
- name: Login to Azure | ||
uses: azure/login@v1 | ||
with: | ||
client-id: ${{ secrets.AZURE_CLIENT_ID }} | ||
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | ||
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
enable-AzPSSession: true | ||
|
||
# Why on earth can't I just deploy the bicep file? | ||
- uses: azure/[email protected] | ||
name: Bicep Build | ||
with: | ||
bicepFilePath: infrastructure/Cluster.bicep | ||
outputFilePath: infrastructure/Cluster.json | ||
|
||
- id: name | ||
shell: pwsh | ||
run: '"name=aks-$(Get-Date -f yyyyMMddThhmmss)" >> $Env:GITHUB_OUTPUT' | ||
|
||
- uses: azure/arm-deploy@v1 | ||
name: deploy | ||
timeout-minutes: 240 | ||
with: | ||
template: infrastructure/Cluster.json | ||
subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }} | ||
resourceGroupName: ${{ secrets.AZURE_RG }} | ||
parameters: adminId=${{ secrets.ADMIN_GROUP_ID }} | ||
deploymentName: ${{ steps.name.outputs.name }} | ||
|
||
- id: deploy-flux | ||
shell: pwsh | ||
run: | | ||
#! Get the cluster credentials | ||
Get-AzAksCluster -ResourceGroupName $Env:RESOURCE_GROUP | | ||
Import-AzAksCredential -Force | ||
#! Update the client ID from the deployment output | ||
$kustomize = Get-Content "clusters/poschode/flux/kustomization.ps1" | ||
$kustomize = $kustomize -replace "azure.workload.identity/client-id: .*$", "azure.workload.identity/client-id: ${{ steps.deploy.outputs.fluxIdClientId }}" | ||
# TODO: commit this file to the repo _before_ running flux | ||
$kustomize | Set-Content "clusters/poschode/flux/kustomization.ps1" | ||
#! Bootstrap Flux | ||
./infrastructure/Install-Flux.ps1 | ||
- name: Azure Resource Group Deployment | ||
uses: azure/powershell@v1 | ||
env: | ||
SUBSCRIPTION: ${{ secrets.AZURE_SUBSCRIPTION }} | ||
RESOURCEGROUP: ${{ secrets.AZURE_RG }} | ||
ADMINS: ${{ secrets.ADMIN_GROUP_ID }} | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
RESOURCE_GROUP: ${{ secrets.AZURE_RG }} | ||
|
||
with: | ||
azPSVersion: "latest" | ||
inlineScript: | | ||
$Results = New-AzResourceGroupDeployment -Name "aks-$(Get-Date -f yyyyMMddThhmmss)" -ResourceGroupName $Env:RESOURCEGROUP -TemplateFile ./infrastructure/Cluster.bicep -TemplateParameterObject @{ adminId = $Env:ADMINS } | ||
$Results | Out-Host | ||
#! Get the cluster credentials | ||
Get-AzAksCluster -ResourceGroupName $Env:RESOURCEGROUP | Import-AzAksCredential -Force | ||
#! Update the client ID from the deployment output | ||
$kustomize = Get-Content "./clusters/poshcode/flux-system/kustomization.yaml" | ||
$kustomize = $kustomize -replace "azure.workload.identity/client-id: .*$", "azure.workload.identity/client-id: $($Results.Outputs.fluxIdClientId)" | ||
# TODO: commit this file to the repo _before_ running flux | ||
$kustomize | Set-Content "./clusters/poshcode/flux-system/kustomization.yaml" | ||
#! Bootstrap Flux | ||
./Initialize-Flux.ps1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
<# | ||
.SYNOPSIS | ||
Prepares an Azure subscription, resource group, and service account and puts secrets into a GitHub repo. | ||
.DESCRIPTION | ||
Creates a new Azure AD application and service principal, and grants it access to a resource group. | ||
Also creates a new federated identity credential for the service principal, and sets the secrets | ||
for the repo workflows. | ||
#> | ||
[CmdletBinding()] | ||
param( | ||
# The identifier URIs to use. E.g. "https://auth.poshcode.com" | ||
[string[]]$IdentifierUris = "https://auth.poshcode.com", | ||
|
||
# The service name to use. E.g. "poshcode-auth" | ||
[string]$DisplayName = "poshcode-auth", | ||
|
||
# The repo to set secrets for. E.g. "PoshCode/cluster" | ||
[string]$repo = "PoshCode/cluster", | ||
|
||
# The name of the secret to create. E.g. "azuread" | ||
$Name = "azuread", | ||
|
||
# The namespace to create the secret in. E.g. "traefik" | ||
$Namespace = "traefik", | ||
|
||
# The path to the secret file to create. E.g. "system/config/secret.yaml" | ||
$Path = "system/config/secret.yaml" | ||
) | ||
|
||
Push-Location $PSScriptRoot -StackName Initialize-AuthApplication | ||
|
||
filter global:ToBase64 { | ||
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($_)) | ||
} | ||
filter global:FromBase64 { | ||
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($_)) | ||
} | ||
|
||
$global:app = (Get-AzADApplication -DisplayName $DisplayName) ?? | ||
(New-AzADApplication -DisplayName $DisplayName -IdentifierUris $IdentifierUris -ReplyUrls "$IdentifierUris/_oauth") | ||
|
||
$Secret = New-AzADAppCredential -ObjectId $App.Id -PasswordCredentials @{} | ||
|
||
$Secret = @" | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: $Name | ||
namespace: $Namespace | ||
type: Opaque | ||
data: | ||
client_id: $($app.AppId|ToBase64) | ||
client_secret: $($secret.SecretText|ToBase64) | ||
endpoint: $("https://login.microsoftonline.com/$((Get-AzContext).Tenant.Id)/v2.0"|ToBase64) | ||
random_secret: $([guid]::NewGuid().Guid|ToBase64) | ||
"@ | ||
|
||
Write-Verbose "$Path`n$Secret" | ||
|
||
Set-Content $Path $Secret -Encoding ascii | ||
|
||
sops -e -i $Path | ||
|
||
Pop-Location -StackName Initialize-AuthApplication | ||
|
||
# https://login.microsoftonline.com/$tenant/v2.0/.well-known/openid-configuration | ||
# https://login.microsoftonline.com/$tenant/oauth2/v2.0/authorize |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters