Azure
diff --git a/‎.github/workflows/AppDeploy_JavaApp.yml
+5 b/‎.github/workflows/AppDeploy_JavaApp.yml
+5
diff --git a/‎.github/workflows/ByoVnetCI.yml
+35-12 b/‎.github/workflows/ByoVnetCI.yml
+35-12
diff --git a/‎.github/workflows/ByoVnetPrivateCI.yml
+1-1 b/‎.github/workflows/ByoVnetPrivateCI.yml
+1-1
diff --git a/‎.github/workflows/PostDeploy.yml
+92 b/‎.github/workflows/PostDeploy.yml
+92
diff --git a/‎.github/workflows/Test_ReusableWorkflows.yml
+14-1 b/‎.github/workflows/Test_ReusableWorkflows.yml
+14-1
diff --git a/‎helper/src/components/deployTab.js
+1-1 b/‎helper/src/components/deployTab.js
+1-1
diff --git a/‎postdeploy/helm/Az-CertManagerIssuer-0.3.0.tgz
1.08 KB b/‎postdeploy/helm/Az-CertManagerIssuer-0.3.0.tgz
1.08 KB
diff --git a/‎postdeploy/helm/certmanagerissuer/Chart.yaml
+6 b/‎postdeploy/helm/certmanagerissuer/Chart.yaml
+6
diff --git a/‎postdeploy/helm/certmanagerissuer/templates/clusterissuer-prod.yaml
+27 b/‎postdeploy/helm/certmanagerissuer/templates/clusterissuer-prod.yaml
+27
diff --git a/‎postdeploy/helm/certmanagerissuer/templates/clusterissuer-staging.yaml
+27 b/‎postdeploy/helm/certmanagerissuer/templates/clusterissuer-staging.yaml
+27
diff --git a/‎postdeploy/helm/certmanagerissuer/templates/networkpolicy.yaml
+10 b/‎postdeploy/helm/certmanagerissuer/templates/networkpolicy.yaml
+10
diff --git a/‎postdeploy/helm/certmanagerissuer/values.yaml
+4 b/‎postdeploy/helm/certmanagerissuer/values.yaml
+4
diff --git a/‎postdeploy/helm/externaldns-0.2.0.tgz
1.86 KB b/‎postdeploy/helm/externaldns-0.2.0.tgz
1.86 KB
diff --git a/‎postdeploy/helm/externaldns/Chart.yaml
+6 b/‎postdeploy/helm/externaldns/Chart.yaml
+6
@@ -1,3 +1,8 @@
+# This file is now been transferred to a new repository.
+# https://github.com/Azure-Samples/java-aks-keyvault-tls/blob/0.9-preview/.github/workflows/deployapp.yml
+# Retarget any workflows to use the it instead of this one.
+# eg. uses: azure-samples/java-aks-keyvault-tls/.github/workflows/[email protected]
+
 on:
   workflow_call:
     inputs:
 
@@ -492,7 +492,7 @@ jobs:
         run:
           AKSNAME='${{ steps.deployAks.outputs.AKSNAME}}'
 
-          netpolicycmd="kubectl apply -f https://github.com/Azure/Aks-Construction/blob/0.4.2-preview/k8smanifests/networkpolicy-deny-all.yml?raw=true";
+          netpolicycmd="kubectl apply -f https://raw.githubusercontent.com/Azure/Aks-Construction/0.4.3-preview/postdeploy/k8smanifests/networkpolicy-deny-all.yml";
           echo "Sending command $netpolicycmd to $AKSNAME in $RG";
           cmdOut=$(az aks command invoke -g $RG -n $AKSNAME -o json --command "${netpolicycmd}");
           echo $cmdOut;
@@ -518,26 +518,39 @@ jobs:
         run: echo "Resuable workflows can't be directly passed ENV/INPUTS (yet)"
       - name: Explain more
         run: echo "see https://github.community/t/reusable-workflow-env-context-not-available-in-jobs-job-id-with/206111"
+      - name: Job parameter inspection
+        run: echo ${{ github.event.inputs.doSmokeTestUninstall }}
+
+  Post-Deploy:
+    needs: [Deploy, ReusableWF]
+    uses: azure/aks-construction/.github/workflows/PostDeploy.yml@gb-certmanagerrefactor
+    with:
+      RG: ${{ needs.ReusableWF.outputs.RG }}
+      AKSNAME: ${{needs.Deploy.outputs.AKSNAME}}
+      DNSDOMAIN: azdemo.co.uk
+      DNSRG: domainssl
+      CERTMANAGEREMAIL: "[email protected]"
+    secrets:
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
 
   SmokeTest_SimpleApp:
     needs: [Deploy, ReusableWF]
     uses: azure/aks-construction/.github/workflows/[email protected]
-    #concurrency: "Ag-${{ inputs.AGNAME}}"
     with:
       RG: ${{ needs.ReusableWF.outputs.RG }} #Automation-Actions-AksDeployCI #$RG
       AKSNAME: ${{needs.Deploy.outputs.AKSNAME}}
       AGNAME: ${{ needs.Deploy.outputs.AGNAME}}
       APPNAME: avote-public
       INGRESSTYPE: "AGIC-Public-Ingress"
       FORCEHELMCLEANINSTALL: true
-      UNINSTALLAFTERVERIFY: ${{ needs.ReusableWF.outputs.Uninstall == true }}
+      UNINSTALLAFTERVERIFY: ${{ needs.ReusableWF.outputs.Uninstall == 'true' }}
     secrets:
       AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
 
   SmokeTest_JavaApp-certmgr:
-    needs: [Deploy, ReusableWF]
-    uses: azure/aks-construction/.github/workflows/[email protected]
-    #concurrency: "Ag-${{ inputs.AGNAME}}"
+    needs: [Deploy, ReusableWF, Post-Deploy]
+    #uses: azure/aks-construction/.github/workflows/[email protected]
+    uses: azure-samples/java-aks-keyvault-tls/.github/workflows/[email protected]
     with:
       RG: ${{ needs.ReusableWF.outputs.RG }} #Automation-Actions-AksDeployCI #'${{ env.RG }}' There seems to be an issue passing Env variables in reusable workflows
       AKSNAME: ${{needs.Deploy.outputs.AKSNAME}}
@@ -548,13 +561,15 @@ jobs:
       AGNAME: ${{ needs.Deploy.outputs.AGNAME}}
       APPNAME: openjdk-demo
       FRONTENDCERTTYPE: certmanager-staging
-      UNINSTALLAFTERVERIFY: ${{ needs.ReusableWF.outputs.Uninstall == true }}
+      FORCEHELMCLEANINSTALL: true
+      UNINSTALLAFTERVERIFY: ${{ needs.ReusableWF.outputs.Uninstall == 'true' }}
     secrets:
       AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
 
   SmokeTest_JavaApp-appgw:
-    needs: [Deploy, ReusableWF, SmokeTest_JavaApp-certmgr]
-    uses: azure/aks-construction/.github/workflows/[email protected]
+    needs: [Deploy, ReusableWF, Post-Deploy, SmokeTest_JavaApp-certmgr]
+    #uses: azure/aks-construction/.github/workflows/[email protected]
+    uses: azure-samples/java-aks-keyvault-tls/.github/workflows/[email protected]
     with:
       RG: ${{ needs.ReusableWF.outputs.RG }} #Automation-Actions-AksDeployCI #'${{ env.RG }}' There seems to be an issue passing Env variables in reusable workflows
       AKSNAME: ${{needs.Deploy.outputs.AKSNAME}}
@@ -565,6 +580,7 @@ jobs:
       AGNAME: ${{ needs.Deploy.outputs.AGNAME}}
       APPNAME: openjdk-kvssl
       FRONTENDCERTTYPE: appgw-selfsigned
+      FORCEHELMCLEANINSTALL: true
       UNINSTALLAFTERVERIFY: ${{ needs.ReusableWF.outputs.Uninstall == true }}
     secrets:
       AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -701,10 +717,10 @@ jobs:
           sudo mv bin/linux_amd64/kubelogin /usr/bin
           kubelogin convert-kubeconfig -l azurecli
 
-      - name: Kubectl get events
+      - name: Kubectl get event Warnings
         if: github.event.inputs.doDebugSteps == 'true'
         run: |
-          kubectl get events
+          kubectl get events --sort-by='.metadata.creationTimestamp' -A | grep Warning
 
       - name: Describe AGIC Pod
         env:
@@ -713,7 +729,14 @@ jobs:
           APPGWPODNAME=$(kubectl get pods -n $NAMESP -o json | jq -r '.items[] | select(.metadata.name | test("appgw-")).metadata.name')
           kubectl describe po -n $NAMESP $APPGWPODNAME
 
-      - name: Grab AGIC pod logs
+      - name: Grab Invalid AGIC pod logs
+        env:
+          NAMESP: "kube-system"
+        run: |
+          APPGWPODNAME=$(kubectl get pods -n $NAMESP -o json | jq -r '.items[] | select(.metadata.name | test("appgw-")).metadata.name')
+          kubectl logs -n $NAMESP $APPGWPODNAME | grep Invalid
+
+      - name: Grab full AGIC pod logs
         env:
           NAMESP: "kube-system"
         run: |
 
@@ -239,7 +239,7 @@ jobs:
         run:
           AKSNAME='${{ steps.deployAks.outputs.AKSNAME}}'
 
-          netpolicycmd="kubectl apply -f https://raw.githubusercontent.com/Azure/Aks-Construction/0.4.2-preview/k8smanifests/networkpolicy-deny-all.yml";
+          netpolicycmd="kubectl apply -f https://raw.githubusercontent.com/Azure/Aks-Construction/0.4.3-preview/postdeploy/k8smanifests/networkpolicy-deny-all.yml";
           echo "Sending command $netpolicycmd to $AKSNAME in $RG";
           cmdOut=$(az aks command invoke -g $RG -n $AKSNAME -o json --command "${netpolicycmd}");
           echo $cmdOut;
 
@@ -0,0 +1,92 @@
+on:
+  workflow_call:
+    inputs:
+      RG:
+        required: true
+        type: string
+      AKSNAME:
+        required: true
+        type: string
+      DNSDOMAIN:
+        required: true
+        type: string
+      DNSRG:
+        required: true
+        type: string
+      HELMCERTMANAGERISSUERURI:
+        default: "postdeploy/helm/Az-CertManagerIssuer-0.3.0.tgz"
+        required: false
+        type: string
+      HELMEXTERNALDNSURI:
+        default: "postdeploy/helm/externaldns-0.2.0.tgz"
+        required: false
+        type: string
+      CERTMANAGER:
+        type: boolean
+        default: true
+        required: false
+      CERTMANAGERVERSION:
+        default: "v1.5.3"
+        required: false
+        type: string
+      CERTMANAGEREMAIL:
+        required: true
+        type: string
+    secrets:
+      AZURE_CREDENTIALS:
+        required: true
+
+jobs:
+  K8S:
+    runs-on: ubuntu-latest
+    env:
+      RG: "${{ inputs.RG }}"
+      AKSNAME: "${{ inputs.AKSNAME }}"
+    steps:
+      - uses: actions/checkout@v2
+        name: Script file download
+
+      - name: Job parameter inspection
+        run: |
+          echo "RG is ${{ inputs.RG }}"
+          echo "AKS name is ${{ inputs.AKSNAME }}"
+          echo "CertManager version is ${{ inputs.CERTMANAGERVERSION }}"
+
+      - name: Azure Login
+        uses: Azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: false
+          environment: azurecloud
+          allow-no-subscriptions: false
+
+      - name: AKS Connect
+        run: az aks get-credentials -n $AKSNAME -g $RG --overwrite-existing
+
+      - name: Kubelogin
+        env:
+          kubeloginversion: 'v0.0.10'
+        run: |
+          wget https://github.com/Azure/kubelogin/releases/download/${{ env.kubeloginversion }}/kubelogin-linux-amd64.zip
+          unzip kubelogin-linux-amd64.zip
+          sudo mv bin/linux_amd64/kubelogin /usr/bin
+          kubelogin convert-kubeconfig -l azurecli
+
+      - name: Install Cert Manager and ClusterIssuer
+        if: inputs.CERTMANAGER
+        env:
+          CERTMANAGERURI: "https://github.com/jetstack/cert-manager/releases/download/${{ inputs.CERTMANAGERVERSION }}/cert-manager.yaml"
+          CERTMANAGERISSUERURI: "${{ inputs.HELMCERTMANAGERISSUERURI }}"
+          EMAILAD: "${{ inputs.CERTMANAGEREMAIL }}"
+        run: sh postdeploy/scripts/certmanager-install.sh
+
+      - name: Verify Cert Manager ClusterIssuer
+        if: inputs.CERTMANAGER
+        run: kubectl describe clusterissuer
+
+      - name: Create azure-config secret and install externaldns
+        env:
+          EXTERNALDNSURI: "${{ inputs.HELMEXTERNALDNSURI }}"
+          DNSDOMAIN: "${{ inputs.DNSDOMAIN }}"
+          DNSRG: "${{ inputs.DNSRG }}"
+        run: sh postdeploy/scripts/externaldns-config-install.sh
@@ -27,7 +27,20 @@ jobs:
       - name: Dummy step
         run: echo "Resuable workflows can't be directly passed ENV/INPUTS (yet)"
 
+  Post-Deploy:
+    needs: [ReusableWF]
+    uses: azure/aks-construction/.github/workflows/PostDeploy.yml@gb-certmanagerrefactor
+    with:
+      RG: ${{ needs.ReusableWF.outputs.RG }}
+      AKSNAME: aks-Byo
+      DNSDOMAIN: azdemo.co.uk
+      DNSRG: domainssl
+      CERTMANAGEREMAIL: "[email protected]"
+    secrets:
+      AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+
   byo-cluster:
+    if: false
     needs: [ReusableWF]
     uses: azure/aks-construction/.github/workflows/[email protected]
     with:
@@ -65,7 +78,7 @@ jobs:
 
       - name: Create Default Deny NetworkPolicy
         run:
-          netpolicycmd="kubectl apply -f https://github.com/Azure/Aks-Construction/blob/0.4.2-preview/k8smanifests/networkpolicy-deny-all.yml?raw=true";
+          netpolicycmd="kubectl apply -f https://raw.githubusercontent.com/Azure/Aks-Construction/0.4.3-preview/postdeploy/k8smanifests/networkpolicy-deny-all.yml";
 
           if [ -z "$netpolicycmd" ];
           then
 
@@ -154,7 +154,7 @@ ${cluster.apisecurity === "private" ? `"` : ``}
 # -----------------------------------
 # Create a default-deny network policy in your cluster to deny all traffic in the default namespace
 ${cluster.apisecurity === "private" ? `az aks command invoke -g ${deploy.rg} -n ${aks}  --command "` : ``}
-kubectl apply -f https://github.com/Azure/Aks-Construction/blob/main/k8smanifests/networkpolicy-deny-all.yml?raw=true
+kubectl apply -f https://raw.githubusercontent.com/Azure/Aks-Construction/0.4.3-preview/postdeploy/k8smanifests/networkpolicy-deny-all.yml
 ${cluster.apisecurity === "private" ? `"` : ``}
 ` : '') +
 
 
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: Az-CertManagerIssuer
+description: CertManager is an automated certificate manager for Kubernetes.
+type: application
+version: 0.3.0 #chart version
+appVersion: "1.0.1" #your app version (used as an image tag)
@@ -0,0 +1,27 @@
+{{- if .Values.prod  -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: "letsencrypt-prod"
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    #- dns01:
+        # Add azureDNS resolver for Private endpoints, but this need to be fixed: https://github.com/cert-manager/website/issues/662
+        #azureDNS:
+        #  clientID: $(az aks show -g az-k8s-e0hm-rg -n aks-az-k8s-e0hm --query identityProfile.kubeletidentity.clientId -o tsv)
+        #  subscriptionID: 2d5bb2c8-8be8-4539-b48f-fbfd86852fa9
+        #  resourceGroupName: domainssl
+        #  hostedZoneName: azdemo.co.uk
+    - http01:
+        ingress:
+          class: {{ .Values.ingressClass }}
+{{- end }}
@@ -0,0 +1,27 @@
+{{- if .Values.staging  -}}
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: "letsencrypt-staging"
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    #- dns01:
+        # Add azureDNS resolver for Private endpoints, but this need to be fixed: https://github.com/cert-manager/website/issues/662
+        #azureDNS:
+        #  clientID: $(az aks show -g az-k8s-e0hm-rg -n aks-az-k8s-e0hm --query identityProfile.kubeletidentity.clientId -o tsv)
+        #  subscriptionID: 2d5bb2c8-8be8-4539-b48f-fbfd86852fa9
+        #  resourceGroupName: domainssl
+        #  hostedZoneName: azdemo.co.uk
+    - http01:
+        ingress:
+          class: {{ .Values.ingressClass }}
+{{- end }}
@@ -0,0 +1,10 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-certmanager-httpsolver-inbound
+spec:
+  podSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  ingress:
+  - {}
@@ -0,0 +1,4 @@
+email: "[email protected]"
+ingressClass: azure/application-gateway
+staging: true
+prod : true
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: externaldns
+description: A Helm chart for externaldns
+type: application
+version: 0.2.0 #chart version
+appVersion: "1.16.0" #your app version (used as an image tag)