Apply recent customer learning to WKS on AKS offer (oracle#317)

* create a different key vault for every deployment.

* do not record the keyvault name as we will not reuse it.

* increase pom.

* add disambiguator suffix to file share name.

* do not provision public IP for ubuntu machine.

pom.xml

@@ -40,7 +40,7 @@
     <properties>    
         <!--  versions  start -->
         <!--  weblogic azure aks versions  -->
-        <version.wls-on-aks-azure-marketplace>1.0.77</version.wls-on-aks-azure-marketplace>
+        <version.wls-on-aks-azure-marketplace>1.0.78</version.wls-on-aks-azure-marketplace>
         <!--  weblogic azure vm versions  -->
         <version.arm-oraclelinux-wls>1.0.27</version.arm-oraclelinux-wls>
         <version.arm-oraclelinux-wls-admin>1.0.51</version.arm-oraclelinux-wls-admin>

weblogic-azure-aks/src/main/arm/scripts/createVMAndBuildImage.sh

@@ -32,15 +32,6 @@ function cleanup_vm() {
 | where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic) \
 | project nicId = tostring(nic.id)" --query "data[0].nicId" -o tsv)
 
-    # query ip id
-    ipId=$(az graph query -q "Resources \
-| where type =~ 'microsoft.network/networkinterfaces' \
-| where id=~ '${nicId}' \
-| extend ipConfigsCount=array_length(properties.ipConfigurations) \
-| mv-expand ipconfig=properties.ipConfigurations \
-| where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true' \
-| project  publicIpId = tostring(ipconfig.properties.publicIPAddress.id)" --query "data[0].publicIpId" -o tsv)
-
     # query os disk id
     osDiskId=$(az graph query -q "Resources \
 | where type =~ 'microsoft.compute/virtualmachines' \
@@ -67,8 +58,6 @@ function cleanup_vm() {
     az vm delete --ids $vmId --yes
     echo "deleting nic ${nicId}"
     az network nic delete --ids ${nicId}
-    echo "deleting public-ip ${ipId}"
-    az network public-ip delete --ids ${ipId}
     echo "deleting disk ${osDiskId}"
     az disk delete --yes --ids ${osDiskId}
     echo "deleting vnet ${vnetId}"
@@ -120,6 +109,7 @@ function build_docker_image() {
     --enable-agent true \
     --vnet-name ${vmName}VNET \
     --enable-auto-update false \
+    --public-ip-address "" \
     --tags SkipASMAzSecPack=true SkipNRMSCorp=true SkipNRMSDatabricks=true SkipNRMSDB=true SkipNRMSHigh=true SkipNRMSMedium=true SkipNRMSRDPSSH=true SkipNRMSSAW=true SkipNRMSMgmt=true --verbose
 
     if [[ "${USE_ORACLE_IMAGE,,}" == "${constTrue}" ]]; then

weblogic-azure-aks/src/main/arm/scripts/pv.yaml.template

@@ -21,7 +21,7 @@ spec:
     namespace: @NAMESPACE@
   azureFile:
     secretName: azure-secret
-    shareName: weblogic
+    shareName: @FILE_SHARE_NAME@
     readOnly: false
   mountOptions:
   - dir_mode=0777

weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh

@@ -548,6 +548,7 @@ function create_pv() {
     sed -i -e "s:@PV_NAME@:${pvName}:g" ${customPVYaml}
     sed -i -e "s:@PVC_NAME@:${pvcName}:g" ${customPVYaml}
     sed -i -e "s:@STORAGE_ACCOUNT@:${STORAGE_ACCOUNT_NAME}:g" ${customPVYaml}
+    sed -i -e "s:@FILE_SHARE_NAME@:${FILE_SHARE_NAME}:g" ${customPVYaml}
 
     # generate pv configurations
     customPVCYaml=${scriptDir}/pvc.yaml

weblogic-azure-aks/src/main/bicep/mainTemplate.bicep

@@ -317,21 +317,15 @@ var const_appGatewaySSLCertOptionHaveCert = 'haveCert'
 var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault'
 var const_azcliVersion = '2.53.0'
 var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com')
-var const_hasTags = contains(resourceGroup(), 'tags')
-// If there is not tag 'wlsKeyVault' and key vault is created for the following usage:
-// * upload custom TLS/SSL certificates for WLS trust and identity.
-// * upload custom certificate for gateway frontend TLS/SSL.
-// * generate selfsigned certificate for gateway frontend TLS/SSL.
-var const_bCreateNewKeyVault = (!const_hasTags || !contains(resourceGroup().tags, name_tagNameForKeyVault) || empty(resourceGroup().tags.wlsKeyVault)) && ((enableCustomSSL && sslConfigurationAccessOption != const_wlsSSLCertOptionKeyVault) || (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault)))
 var const_bCreateStorageAccount = (createAKSCluster || !const_hasStorageAccount) && const_enablePV
 var const_bValidateApplications= validateApplications && (length(appPackageUrls) > 0)
 var const_createNewAcr = useOracleImage && createACR
 var const_defaultKeystoreType = 'PKCS12'
 var const_enableNetworking = (length(lbSvcValues) > 0) || enableAppGWIngress
 var const_enablePV = enableCustomSSL || enableAzureFileShare
+var const_fileShareName = 'weblogic-${uniqueString(utcValue)}'
 var const_hasStorageAccount = !createAKSCluster && queryStorageAccount.outputs.storageAccount != 'null'
 var const_identityKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreType : sslUploadedCustomIdentityKeyStoreType
-var const_keyvaultNameFromTag = const_hasTags && contains(resourceGroup().tags, name_tagNameForKeyVault) ? resourceGroup().tags.wlsKeyVault : ''
 var const_showAdminConsoleExUrl = (length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForAdminServer)
 var const_showRemoteAdminConsoleExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && !enableCustomSSL
 var const_showRemoteAdminConsoleSecuredExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && enableCustomSSL
@@ -346,14 +340,12 @@ var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${take(u
 var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63)
 var name_identityKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreDataSecretName : 'myIdentityKeyStoreData'
 var name_identityKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName : 'myIdentityKeyStorePsw'
-var name_keyVaultName = empty(const_keyvaultNameFromTag) ? '${take('wls-kv${uniqueString(utcValue)}', 24)}' : resourceGroup().tags.wlsKeyVault
+var name_keyVaultName = '${take('wls-kv${uniqueString(utcValue)}', 24)}'
 var name_privateKeyAliasSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyAliasSecretName : 'privateKeyAlias'
 var name_privateKeyPswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyPassPhraseSecretName : 'privateKeyPsw'
 var name_rgNameWithoutSpecialCharacter = replace(replace(replace(replace(resourceGroup().name, '.', ''), '(', ''), ')', ''), '_', '') // remove . () _ from resource group name
 var name_rgKeyvaultForWLSSSL = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultResourceGroup : resourceGroup().name
 var name_storageAccountName = const_hasStorageAccount ? queryStorageAccount.outputs.storageAccount : 'wls${uniqueString(utcValue)}'
-var name_tagNameForKeyVault = 'wlsKeyVault'
-var name_tagNameForStorageAccount = 'wlsStorageAccount'
 var name_trustKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreDataSecretName : 'myTrustKeyStoreData'
 var name_trustKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStorePassPhraseSecretName : 'myTrustKeyStorePsw'
 var ref_wlsDomainDeployment = _enableCustomSSL ? wlsDomainWithCustomSSLDeployment : wlsDomainDeployment
@@ -589,6 +581,7 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus
     enableClusterT3Tunneling: enableClusterT3Tunneling
     enablePswlessConnection: enablePswlessConnection
     enablePV: const_enablePV
+    fileShareName: const_fileShareName
     identity: obj_uamiForDeploymentScript
     isSSOSupportEntitled: isSSOSupportEntitled
     location: location
@@ -660,6 +653,7 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i
     enableClusterT3Tunneling: enableClusterT3Tunneling
     enablePswlessConnection: enablePswlessConnection
     enablePV: const_enablePV
+    fileShareName: const_fileShareName
     identity: obj_uamiForDeploymentScript
     isSSOSupportEntitled: isSSOSupportEntitled
     location: location
@@ -698,22 +692,6 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i
   ]
 }
 
-/*
- * Update tags to save key vault name and storage account name that are used for current configuration
-*/
-resource applyTags 'Microsoft.Resources/tags@${azure.apiVersionForTags}' = {
-  name: 'default'
-  properties: {
-    tags: {
-      '${name_tagNameForKeyVault}': const_bCreateNewKeyVault ? name_keyVaultName : const_keyvaultNameFromTag
-      '${name_tagNameForStorageAccount}': (const_bCreateStorageAccount || const_hasStorageAccount) ? name_storageAccountName : ''
-    }
-  }
-  dependsOn: [
-    appgwSecretDeployment
-  ]
-}
-
 module networkingDeployment 'modules/networking.bicep' = if (const_enableNetworking) {
   name: 'networking-deployment'
   params: {

weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_storage.bicep

@@ -1,13 +1,13 @@
 // Copyright (c) 2021, Oracle Corporation and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
+param fileShareName string
 param location string
 param storageAccountName string = 'stg-contoso'
 param utcValue string = utcNow()
 
 var const_shareQuota = 5120
 var const_sku = 'Standard_LRS'
-var name_fileShare = 'weblogic'
 
 resource storageAccount 'Microsoft.Storage/storageAccounts@${azure.apiVersionForStorage}' = {
   name: storageAccountName
@@ -40,7 +40,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@${azure.apiVersionFor
 }
 
 resource fileService 'Microsoft.Storage/storageAccounts/fileServices/shares@${azure.apiVersionForStorageFileService}' = {
-  name: '${storageAccount.name}/default/${name_fileShare}'
+  name: '${storageAccount.name}/default/${fileShareName}'
   properties: {
     accessTier: 'TransactionOptimized'
     shareQuota: const_shareQuota

weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep

@@ -19,6 +19,7 @@ param enableAdminT3Tunneling bool = false
 param enableClusterT3Tunneling bool = false
 param enablePswlessConnection bool = false
 param enablePV bool = false
+param fileShareName string
 param identity object = {}
 param isSSOSupportEntitled bool
 param location string
@@ -129,6 +130,10 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers
         name: 'ENABLE_PV'
         value: string(enablePV)
       }
+      {
+        name: 'FILE_SHARE_NAME'
+        value: fileShareName
+      }
       {
         name: 'ORACLE_ACCOUNT_NAME'
         value: ocrSSOUser

weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep

@@ -69,6 +69,7 @@ param enableAdminT3Tunneling bool = false
 param enableClusterT3Tunneling bool = false
 param enablePswlessConnection bool = false
 param enablePV bool = false
+param fileShareName string = ''
 @description('An user assigned managed identity. Make sure the identity has permission to create/update/delete/list Azure resources.')
 param identity object = {}
 param isSSOSupportEntitled bool
@@ -178,6 +179,7 @@ module aksClusterDeployment './_azure-resoruces/_aks.bicep' = if (createAKSClust
 module storageDeployment './_azure-resoruces/_storage.bicep' = if (createStorageAccount) {
   name: 'storage-deployment'
   params: {
+    fileShareName: fileShareName
     location: location
     storageAccountName: storageAccountName
   }
@@ -208,6 +210,7 @@ module wlsDomainDeployment './_deployment-scripts/_ds-create-wls-cluster.bicep'
     enableClusterT3Tunneling: enableClusterT3Tunneling
     enablePswlessConnection: enablePswlessConnection
     enablePV: enablePV
+    fileShareName: fileShareName
     identity: identity
     isSSOSupportEntitled: isSSOSupportEntitled
     location: location