Simple OpenID Connect test application
-
App Gateway VNET peered with AKS VNET
-
A user assigned managed identity with contributor role on the AKS cluster resource group. The least permission would be “Network Contributor” but needs further testing to confirm.
-
SP with reply URL as below and "id_token" enabled,
a.https://<appGWFQDN>
b.https://<appGWFQDN>/signin-oidc/
-
Self-signed root certificate and server certificate (Root-
www.contoso.com
, server -www.fabrikam.com
)
-
Clone the code locally,
git clone https://github.com/joergjo/dotnet-oidc-webapp.git
-
Login to azure account with the context of the subscription in which ACR resides,
az login
az account set -s <SUB_ID>
-
Modify the acr-build.sh file
#!/bin/bash version=${1:-3.1} repo=dotnet-samples/openidconnect az acr login -n <YOUR_ACR> -g <YOUR_ACR_RG> az acr build --registry <YOUR_ACR> -t ${repo}:latest -t ${repo}:${version}-{{.Run.ID}} -f ./src/OpenIdConnect.WebApp/Dockerfile .
-
Change the permissions of the file to execute,
chmod +x acr-build.sh
-
Execute the script,
./acr-build.sh
Generate self-signed root and server certificates or use the certificates available in the certs folder.
https://docs.microsoft.com/en-us/azure/application-gateway/self-signed-certificates
Create a PFX certificate to use for the backend servers
openssl pkcs12 -export -out .\certs\fabrikam.pfx -in .\certs\fabrikam.crt -inkey .\certs\fabrikam.key -certfile .\certs\contoso_original.crt
Deploy the network, ACR, MI, AKS, Private DNS Zone using the powershell script Deploy-AksAadApp.ps1
.
az aks get-credentials -n <aks_cluster_name> -g <aks_cluster_RG>
kubectl create namespace ingress-basic
controller:
service:
loadBalancerIP: 10.58.1.70 #IP address from the subnet
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace ingress-basic \
-f ingress_internal.yaml \
--set controller.replicaCount=2 \
--set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
kubectl create ns dotnetapp
kubectl create secret tls fabrikam-tls --key fabrikam.key --cert fabrikam.crt -n dotnetapp
AzureAd__Domain:
AzureAd__TenantId:
AzureAd__ClientId:
ReverseProxyBaseUri: https://<FQDN_of_AppGw>
kubectl apply -f app.yaml -n dotnetapp
- Modify the
instanceAdminGroupObjectId
andinstanceDeveloperGroupObjectId
with proper Azure AD group object ID for Admin and Devloper groups. - Update the app.yaml with the same process defined in the previous step
- Deploy the helm chart,
helm install oidcapp .\app
Change the IP address of the A record created for www.fabrikam.com
with nginx ingress controller external IP.
kubectl get svc nginx-ingress-ingress-nginx-controller -n ingress-basic -o jsonpath='{.spec.loadBalancerIP}'