From b2e8fc041a9320a26e59b2b534c5c6df93e5f334 Mon Sep 17 00:00:00 2001 From: Galia Cheng Date: Tue, 2 Jul 2024 21:46:20 +0800 Subject: [PATCH] Apply recent customer learning to WKS on AKS offer (#317) * create a different key vault for every deployment. * do not record the keyvault name as we will not reuse it. * increase pom. * add disambiguator suffix to file share name. * do not provision public IP for ubuntu machine. --- pom.xml | 2 +- .../main/arm/scripts/createVMAndBuildImage.sh | 12 +------- .../src/main/arm/scripts/pv.yaml.template | 2 +- .../src/main/arm/scripts/setupWLSDomain.sh | 1 + .../src/main/bicep/mainTemplate.bicep | 30 +++---------------- .../modules/_azure-resoruces/_storage.bicep | 4 +-- .../_ds-create-wls-cluster.bicep | 5 ++++ .../bicep/modules/setupWebLogicCluster.bicep | 3 ++ 8 files changed, 18 insertions(+), 41 deletions(-) diff --git a/pom.xml b/pom.xml index b1d449c17..b13b3453d 100644 --- a/pom.xml +++ b/pom.xml @@ -40,7 +40,7 @@ - 1.0.77 + 1.0.78 1.0.27 1.0.51 diff --git a/weblogic-azure-aks/src/main/arm/scripts/createVMAndBuildImage.sh b/weblogic-azure-aks/src/main/arm/scripts/createVMAndBuildImage.sh index a0c7eaf1e..1b74619f1 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/createVMAndBuildImage.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/createVMAndBuildImage.sh @@ -32,15 +32,6 @@ function cleanup_vm() { | where nics == 1 or nic.properties.primary =~ 'true' or isempty(nic) \ | project nicId = tostring(nic.id)" --query "data[0].nicId" -o tsv) - # query ip id - ipId=$(az graph query -q "Resources \ -| where type =~ 'microsoft.network/networkinterfaces' \ -| where id=~ '${nicId}' \ -| extend ipConfigsCount=array_length(properties.ipConfigurations) \ -| mv-expand ipconfig=properties.ipConfigurations \ -| where ipConfigsCount == 1 or ipconfig.properties.primary =~ 'true' \ -| project publicIpId = tostring(ipconfig.properties.publicIPAddress.id)" --query "data[0].publicIpId" -o tsv) - # query os disk id osDiskId=$(az graph query -q "Resources \ | where type =~ 'microsoft.compute/virtualmachines' \ @@ -67,8 +58,6 @@ function cleanup_vm() { az vm delete --ids $vmId --yes echo "deleting nic ${nicId}" az network nic delete --ids ${nicId} - echo "deleting public-ip ${ipId}" - az network public-ip delete --ids ${ipId} echo "deleting disk ${osDiskId}" az disk delete --yes --ids ${osDiskId} echo "deleting vnet ${vnetId}" @@ -120,6 +109,7 @@ function build_docker_image() { --enable-agent true \ --vnet-name ${vmName}VNET \ --enable-auto-update false \ + --public-ip-address "" \ --tags SkipASMAzSecPack=true SkipNRMSCorp=true SkipNRMSDatabricks=true SkipNRMSDB=true SkipNRMSHigh=true SkipNRMSMedium=true SkipNRMSRDPSSH=true SkipNRMSSAW=true SkipNRMSMgmt=true --verbose if [[ "${USE_ORACLE_IMAGE,,}" == "${constTrue}" ]]; then diff --git a/weblogic-azure-aks/src/main/arm/scripts/pv.yaml.template b/weblogic-azure-aks/src/main/arm/scripts/pv.yaml.template index 349ced5c6..74ee054b1 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/pv.yaml.template +++ b/weblogic-azure-aks/src/main/arm/scripts/pv.yaml.template @@ -21,7 +21,7 @@ spec: namespace: @NAMESPACE@ azureFile: secretName: azure-secret - shareName: weblogic + shareName: @FILE_SHARE_NAME@ readOnly: false mountOptions: - dir_mode=0777 diff --git a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh index fbdcab296..9e5df87da 100644 --- a/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh +++ b/weblogic-azure-aks/src/main/arm/scripts/setupWLSDomain.sh @@ -548,6 +548,7 @@ function create_pv() { sed -i -e "s:@PV_NAME@:${pvName}:g" ${customPVYaml} sed -i -e "s:@PVC_NAME@:${pvcName}:g" ${customPVYaml} sed -i -e "s:@STORAGE_ACCOUNT@:${STORAGE_ACCOUNT_NAME}:g" ${customPVYaml} + sed -i -e "s:@FILE_SHARE_NAME@:${FILE_SHARE_NAME}:g" ${customPVYaml} # generate pv configurations customPVCYaml=${scriptDir}/pvc.yaml diff --git a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep index 04741fb30..2553aab50 100644 --- a/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep +++ b/weblogic-azure-aks/src/main/bicep/mainTemplate.bicep @@ -317,21 +317,15 @@ var const_appGatewaySSLCertOptionHaveCert = 'haveCert' var const_appGatewaySSLCertOptionHaveKeyVault = 'haveKeyVault' var const_azcliVersion = '2.53.0' var const_azureSubjectName = format('{0}.{1}.{2}', name_domainLabelforApplicationGateway, location, 'cloudapp.azure.com') -var const_hasTags = contains(resourceGroup(), 'tags') -// If there is not tag 'wlsKeyVault' and key vault is created for the following usage: -// * upload custom TLS/SSL certificates for WLS trust and identity. -// * upload custom certificate for gateway frontend TLS/SSL. -// * generate selfsigned certificate for gateway frontend TLS/SSL. -var const_bCreateNewKeyVault = (!const_hasTags || !contains(resourceGroup().tags, name_tagNameForKeyVault) || empty(resourceGroup().tags.wlsKeyVault)) && ((enableCustomSSL && sslConfigurationAccessOption != const_wlsSSLCertOptionKeyVault) || (enableAppGWIngress && (appGatewayCertificateOption != const_appGatewaySSLCertOptionHaveKeyVault))) var const_bCreateStorageAccount = (createAKSCluster || !const_hasStorageAccount) && const_enablePV var const_bValidateApplications= validateApplications && (length(appPackageUrls) > 0) var const_createNewAcr = useOracleImage && createACR var const_defaultKeystoreType = 'PKCS12' var const_enableNetworking = (length(lbSvcValues) > 0) || enableAppGWIngress var const_enablePV = enableCustomSSL || enableAzureFileShare +var const_fileShareName = 'weblogic-${uniqueString(utcValue)}' var const_hasStorageAccount = !createAKSCluster && queryStorageAccount.outputs.storageAccount != 'null' var const_identityKeyStoreType = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreType : sslUploadedCustomIdentityKeyStoreType -var const_keyvaultNameFromTag = const_hasTags && contains(resourceGroup().tags, name_tagNameForKeyVault) ? resourceGroup().tags.wlsKeyVault : '' var const_showAdminConsoleExUrl = (length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForAdminServer) var const_showRemoteAdminConsoleExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && !enableCustomSSL var const_showRemoteAdminConsoleSecuredExUrl = ((length(lbSvcValues) > 0) || (enableAppGWIngress && appgwForRemoteConsole)) && enableCustomSSL @@ -346,14 +340,12 @@ var name_dnsNameforApplicationGateway = '${dnsNameforApplicationGateway}${take(u var name_domainLabelforApplicationGateway = take('${name_dnsNameforApplicationGateway}-${toLower(name_rgNameWithoutSpecialCharacter)}-${toLower(wlsDomainName)}', 63) var name_identityKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStoreDataSecretName : 'myIdentityKeyStoreData' var name_identityKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomIdentityKeyStorePassPhraseSecretName : 'myIdentityKeyStorePsw' -var name_keyVaultName = empty(const_keyvaultNameFromTag) ? '${take('wls-kv${uniqueString(utcValue)}', 24)}' : resourceGroup().tags.wlsKeyVault +var name_keyVaultName = '${take('wls-kv${uniqueString(utcValue)}', 24)}' var name_privateKeyAliasSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyAliasSecretName : 'privateKeyAlias' var name_privateKeyPswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultPrivateKeyPassPhraseSecretName : 'privateKeyPsw' var name_rgNameWithoutSpecialCharacter = replace(replace(replace(replace(resourceGroup().name, '.', ''), '(', ''), ')', ''), '_', '') // remove . () _ from resource group name var name_rgKeyvaultForWLSSSL = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultResourceGroup : resourceGroup().name var name_storageAccountName = const_hasStorageAccount ? queryStorageAccount.outputs.storageAccount : 'wls${uniqueString(utcValue)}' -var name_tagNameForKeyVault = 'wlsKeyVault' -var name_tagNameForStorageAccount = 'wlsStorageAccount' var name_trustKeyStoreDataSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStoreDataSecretName : 'myTrustKeyStoreData' var name_trustKeyStorePswSecret = (sslConfigurationAccessOption == const_wlsSSLCertOptionKeyVault) ? sslKeyVaultCustomTrustKeyStorePassPhraseSecretName : 'myTrustKeyStorePsw' var ref_wlsDomainDeployment = _enableCustomSSL ? wlsDomainWithCustomSSLDeployment : wlsDomainDeployment @@ -589,6 +581,7 @@ module wlsDomainDeployment 'modules/setupWebLogicCluster.bicep' = if (!enableCus enableClusterT3Tunneling: enableClusterT3Tunneling enablePswlessConnection: enablePswlessConnection enablePV: const_enablePV + fileShareName: const_fileShareName identity: obj_uamiForDeploymentScript isSSOSupportEntitled: isSSOSupportEntitled location: location @@ -660,6 +653,7 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i enableClusterT3Tunneling: enableClusterT3Tunneling enablePswlessConnection: enablePswlessConnection enablePV: const_enablePV + fileShareName: const_fileShareName identity: obj_uamiForDeploymentScript isSSOSupportEntitled: isSSOSupportEntitled location: location @@ -698,22 +692,6 @@ module wlsDomainWithCustomSSLDeployment 'modules/setupWebLogicCluster.bicep' = i ] } -/* - * Update tags to save key vault name and storage account name that are used for current configuration -*/ -resource applyTags 'Microsoft.Resources/tags@${azure.apiVersionForTags}' = { - name: 'default' - properties: { - tags: { - '${name_tagNameForKeyVault}': const_bCreateNewKeyVault ? name_keyVaultName : const_keyvaultNameFromTag - '${name_tagNameForStorageAccount}': (const_bCreateStorageAccount || const_hasStorageAccount) ? name_storageAccountName : '' - } - } - dependsOn: [ - appgwSecretDeployment - ] -} - module networkingDeployment 'modules/networking.bicep' = if (const_enableNetworking) { name: 'networking-deployment' params: { diff --git a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_storage.bicep b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_storage.bicep index 93f5fddde..4d543cfde 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_storage.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_azure-resoruces/_storage.bicep @@ -1,13 +1,13 @@ // Copyright (c) 2021, Oracle Corporation and/or its affiliates. // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +param fileShareName string param location string param storageAccountName string = 'stg-contoso' param utcValue string = utcNow() var const_shareQuota = 5120 var const_sku = 'Standard_LRS' -var name_fileShare = 'weblogic' resource storageAccount 'Microsoft.Storage/storageAccounts@${azure.apiVersionForStorage}' = { name: storageAccountName @@ -40,7 +40,7 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@${azure.apiVersionFor } resource fileService 'Microsoft.Storage/storageAccounts/fileServices/shares@${azure.apiVersionForStorageFileService}' = { - name: '${storageAccount.name}/default/${name_fileShare}' + name: '${storageAccount.name}/default/${fileShareName}' properties: { accessTier: 'TransactionOptimized' shareQuota: const_shareQuota diff --git a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep index 6208a9ac9..4577addfc 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/_deployment-scripts/_ds-create-wls-cluster.bicep @@ -19,6 +19,7 @@ param enableAdminT3Tunneling bool = false param enableClusterT3Tunneling bool = false param enablePswlessConnection bool = false param enablePV bool = false +param fileShareName string param identity object = {} param isSSOSupportEntitled bool param location string @@ -129,6 +130,10 @@ resource deploymentScript 'Microsoft.Resources/deploymentScripts@${azure.apiVers name: 'ENABLE_PV' value: string(enablePV) } + { + name: 'FILE_SHARE_NAME' + value: fileShareName + } { name: 'ORACLE_ACCOUNT_NAME' value: ocrSSOUser diff --git a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep index 959c7d7c2..d369dc0eb 100644 --- a/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep +++ b/weblogic-azure-aks/src/main/bicep/modules/setupWebLogicCluster.bicep @@ -69,6 +69,7 @@ param enableAdminT3Tunneling bool = false param enableClusterT3Tunneling bool = false param enablePswlessConnection bool = false param enablePV bool = false +param fileShareName string = '' @description('An user assigned managed identity. Make sure the identity has permission to create/update/delete/list Azure resources.') param identity object = {} param isSSOSupportEntitled bool @@ -178,6 +179,7 @@ module aksClusterDeployment './_azure-resoruces/_aks.bicep' = if (createAKSClust module storageDeployment './_azure-resoruces/_storage.bicep' = if (createStorageAccount) { name: 'storage-deployment' params: { + fileShareName: fileShareName location: location storageAccountName: storageAccountName } @@ -208,6 +210,7 @@ module wlsDomainDeployment './_deployment-scripts/_ds-create-wls-cluster.bicep' enableClusterT3Tunneling: enableClusterT3Tunneling enablePswlessConnection: enablePswlessConnection enablePV: enablePV + fileShareName: fileShareName identity: identity isSSOSupportEntitled: isSSOSupportEntitled location: location