generated from codebytes/marp-slides-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
#!/bin/sh | ||
|
||
#set vars | ||
#codebytes | ||
githubOrganizationName=$(echo $(git remote get-url origin) | cut -f4 -d"/") | ||
#secure-terraform-on-azure | ||
githubRepositoryName=$(basename -s .git `git config --get remote.origin.url`) | ||
|
||
#create app registration | ||
applicationRegistrationDetails=$(az ad app create --display-name "${githubRepositoryName}") | ||
applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id') | ||
applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId') | ||
|
||
#created federated creds | ||
az ad app federated-credential create \ | ||
--id $applicationRegistrationObjectId \ | ||
--parameters "{\"name\":\"${githubRepositoryName}-pr\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:pull_request\",\"audiences\":[\"api://AzureADTokenExchange\"]}" | ||
az ad app federated-credential create \ | ||
--id $applicationRegistrationObjectId \ | ||
--parameters "{\"name\":\"${githubRepositoryName}-env-dev\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:dev\",\"audiences\":[\"api://AzureADTokenExchange\"]}" | ||
az ad app federated-credential create \ | ||
--id $applicationRegistrationObjectId \ | ||
--parameters "{\"name\":\"${githubRepositoryName}-env-prod\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:environment:prod\",\"audiences\":[\"api://AzureADTokenExchange\"]}" | ||
az ad app federated-credential create \ | ||
--id $applicationRegistrationObjectId \ | ||
--parameters "{\"name\":\"${githubRepositoryName}-branch-main\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}" | ||
|
||
az ad sp create --id $applicationRegistrationObjectId | ||
|
||
AZURE_CLIENT_ID=$applicationRegistrationAppId | ||
AZURE_TENANT_ID=$(az account show --query tenantId --output tsv) | ||
AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv) | ||
|
||
az role assignment create --assignee $applicationRegistrationAppId --role Contributor --scope "/subscriptions/$AZURE_SUBSCRIPTION_ID" | ||
|
||
echo "AZURE_CLIENT_ID: $AZURE_CLIENT_ID" | ||
echo "AZURE_TENANT_ID: $AZURE_TENANT_ID" | ||
echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID" | ||
|
||
gh secret set AZURE_CLIENT_ID --body "$AZURE_CLIENT_ID" | ||
gh secret set AZURE_TENANT_ID --body "$AZURE_TENANT_ID" | ||
gh secret set AZURE_SUBSCRIPTION_ID --body "$AZURE_SUBSCRIPTION_ID" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
|
||
Microsoft Visual Studio Solution File, Format Version 12.00 | ||
# Visual Studio Version 17 | ||
VisualStudioVersion = 17.5.002.0 | ||
MinimumVisualStudioVersion = 10.0.40219.1 | ||
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{E7035618-F471-4A35-8C03-EEDD1FEA3B2B}" | ||
EndProject | ||
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hello-containers", "src\hello-containers\hello-containers.csproj", "{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}" | ||
EndProject | ||
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SampleApi", "src\SampleApi\SampleApi.csproj", "{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}" | ||
EndProject | ||
Global | ||
GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
Debug|Any CPU = Debug|Any CPU | ||
Release|Any CPU = Release|Any CPU | ||
EndGlobalSection | ||
GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU | ||
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Debug|Any CPU.Build.0 = Debug|Any CPU | ||
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Release|Any CPU.ActiveCfg = Release|Any CPU | ||
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3}.Release|Any CPU.Build.0 = Release|Any CPU | ||
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU | ||
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Debug|Any CPU.Build.0 = Debug|Any CPU | ||
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Release|Any CPU.ActiveCfg = Release|Any CPU | ||
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1}.Release|Any CPU.Build.0 = Release|Any CPU | ||
EndGlobalSection | ||
GlobalSection(SolutionProperties) = preSolution | ||
HideSolutionNode = FALSE | ||
EndGlobalSection | ||
GlobalSection(NestedProjects) = preSolution | ||
{7064BCB9-4EC3-4D52-B112-D6C0527B92F3} = {E7035618-F471-4A35-8C03-EEDD1FEA3B2B} | ||
{E0E8B4AF-D81D-499C-8CB1-2FA3AA0684D1} = {E7035618-F471-4A35-8C03-EEDD1FEA3B2B} | ||
EndGlobalSection | ||
GlobalSection(ExtensibilityGlobals) = postSolution | ||
SolutionGuid = {E2B60925-3A4E-4748-BA9A-0FD83439835E} | ||
EndGlobalSection | ||
EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
|
||
ACR_NAME=cayerscontainersdemo.azurecr.io | ||
az group create --name rg-containers-demos --location eastus | ||
az acr create --name cayerscontainersdemo -g rg-containers-demos -l eastus --sku Standard | ||
az acr login -n cayerscontainersdemo | ||
|
||
--- | ||
|
||
cd src/SampleApi | ||
cd src/hello-containers | ||
|
||
--- | ||
|
||
docker build . -t sampleapi:latest | ||
docker run -it --rm -p 8080:8080 sampleapi:latest | ||
|
||
--- size | ||
|
||
docker run -it --rm --entrypoint /bin/bash sampleapi:latest | ||
|
||
dotnet publish -t:PublishContainer -p ContainerImageTag=published | ||
dotnet publish -t:PublishContainer -p ContainerImageTag=alpine -p ContainerFamily=alpine | ||
dotnet publish -t:PublishContainer -p ContainerImageTag=chiseled -p ContainerFamily=jammy-chiseled | ||
|
||
--- packages | ||
|
||
docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0 | grep dotnet | wc -l | ||
docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0 | grep deb | wc -l | ||
|
||
docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled | grep dotnet | wc -l | ||
docker run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:8.0-jammy-chiseled | grep deb | wc -l | ||
|
||
--- security | ||
|
||
docker run -it --rm --entrypoint /bin/bash hello-containers:latest | ||
|
||
whoami | ||
apt | ||
|
||
docker run -it --rm --entrypoint /bin/bash --user root hello-containers:latest | ||
|
||
--- | ||
|
||
wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb | ||
sudo dpkg -i trivy_0.18.3_Linux-64bit.deb | ||
|
||
trivy i hello-containers | ||
trivy i hello-containers:alpine | ||
trivy i hello-containers:chiseled | ||
|
||
dotnet publish -t:PublishContainer -p ContainerImageTag=arm64 --arch arm64 | ||
docker run sampleapi:arm64 | ||
|
||
az acr build --registry $ACR_NAME --image test:v1 --file Dockerfile . | ||
|
||
docker login cayerscontainersdemo.azurecr.io | ||
|
||
az acr login -n $ACR_NAME | ||
docker run -p 8080:8080 $ACR_NAME/test:v1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters