Merge pull request #334 from stakater/app-regs

Update Azure AD instructions and fix image indentations and linting errors
stakater · Oct 31, 2024 · 03aed8e · 03aed8e
2 parents 32f5766 + b7c5a78
commit 03aed8e
Show file tree

Hide file tree

Showing 26 changed files with 211 additions and 194 deletions.
diff --git a/content/for-administrators/plan-your-environment/sizing.md b/content/for-administrators/plan-your-environment/sizing.md
@@ -27,7 +27,7 @@ Resource requirements for a single SAAP cluster is as follows:
 
 The overall minimum resource requirements are:
 
-| Machine pool role | Minimum size (vCPU x Memory x Storage) | Minimum pool size | Total vCPUs | Total Memory (GiB) | Total Storage (GiB)
+| Machine pool role | Minimum size (vCPU x Memory x Storage) | Minimum pool size | Total vCPUs | Total Memory (GiB) | Total Storage (GiB) |
 |:---|:---|---:|---:|---:|---:|
 | Control plane | 8 x 32 x 350 | 3 | 24 | 96 | 1050 (Provisioned IOPS 1000) |
 | Infra | 8 x 32 x 300 | 3 | 24 | 96 | 900 (General Purpose SSD) |

diff --git a/content/for-administrators/secure-your-cluster/azure-gso.md b/content/for-administrators/secure-your-cluster/azure-gso.md
@@ -1,26 +1,33 @@
 # Configuring Azure AD Group Sync Application
 
-1. To enable sync groups from Azure AD (Microsoft's) account to Stakater Cloud you first have to register an application on Azure. Go to the <https://portal.azure.com>
-1. Open `Azure Active Directory` service
-1. On the left tab under the Manage section, click `App Registrations`
-1. Click on `New Registration`. Use `group-sync` under Name and click `Register`
+For Azure AD, two applications are needed, one for group synchronization, and one for the identity provider. Only users in target groups are synchronized. These are the steps to enable group sync:
+
+1. To enable sync groups from the Microsoft Azure AD account to Stakater Cloud you first have to register an application on Azure. Go to the [Azure Portal](https://portal.azure.com).
+1. Open the `Azure Active Directory` service
+1. On the left tab under the Manage section, click `App registrations`
+1. Click on `New registration`. Enter `group-sync` as name and click `Register`:
 
     ![Azure AD](images/azure-ad.png)
 
-1. The GroupSync job requires additional permissions on the Azure AD tenant. To set these up, add the `Group.Read.All`, `GroupMember.Read.All`,`User.Read.All` entries under the `API Permissions`
+1. The `GroupSync` job requires additional permissions on the Azure AD tenant. To set these up, add these permissions under `API permissions` > `Configured permissions`:
+    * `Group.Read.All`
+    * `GroupMember.Read.All`
+    * `User.Read.All`
 
     ![Azure App API Permissions](images/azure-permissions-group-sync.png)
 
-1. Click on the newly created app `group-sync`. Click `Certificates & secrets` from the left tab. Click `New Client Secret`. Under `Expires` pick any option. Under `Description` enter *saap-group-sync*, and click `Add`
+1. Click on the newly created app `group-sync`. Click `Certificates & secrets` from the left tab. Click `New client secret`. Under `Expires` pick any option. Under `Description` enter `saap-group-sync`, and click `Add`:
 
     ![Certificates and Secrets](images/azure-ad-certificates-secrets.png)
 
-1. Copy the value of the newly created client secret and note the  `Application (client) ID` and `Directory (tenant) ID` of the `group-sync` app registration from the `Overview` tab. **Send this to Stakater Support**
+1. Copy the value of the newly created client secret and note the  `Application (client) ID` and `Directory (tenant) ID` of the `group-sync` app registration from the `Overview` tab, and **send them to Stakater Support**:
 
     ![Client-Tenant-ID](images/azure-ad-clientid-tenantid.png)
 
 ## Items to be provided to Stakater Support
 
-- `Application (client) ID`
-- `Directory (tenant) ID`
-- `client Secret`
+Please provide the secrets via password manager:
+
+* `Application (client) ID`
+* `Directory (tenant) ID`
+* `Client Secret`
diff --git a/content/for-administrators/secure-your-cluster/azure-idp.md b/content/for-administrators/secure-your-cluster/azure-idp.md
@@ -1,27 +1,35 @@
 # Configuring Azure AD identity provider
 
-1. To enable login with Azure AD (Microsoft's) account you first have to register an OAuth application on Azure. Go to the <https://portal.azure.com>
+For Azure AD, two applications are needed, one for group synchronization, and one for the identity provider. These are the steps for identity provider:
+
+1. To enable login with a Microsoft Azure AD account you first have to register an OAuth application on Azure. Login to [Azure Portal](https://portal.azure.com).
 1. Open `Azure Active Directory` service
 1. On the left tab under the Manage section, click `App Registrations`
-1. Click on `New Registration`. Use `saap` under Name. Under Redirect URI section Choose `Web` and enter the Redirect URI (**This will be provided by Stakater Support**) and click `Register`
+1. Click on `New registration`. Enter `saap` as the name. Under the `Redirect URI` section, choose `Web` and enter the Redirect URI that **will be provided by Stakater Support** and click `Register`:
 
     ![Azure AD](images/azure-ad.png)
 
-1. Go to "API permissions" and add the required Microsoft Graph API permissions. Typically, you need `User.Read` and `openid`, `profile`, and `email` permissions.
-1. lick on the newly created app `saap`. Click `Certificates & secrets` from the left tab. Click `New Client Secret`. Under `Expires` pick any option. Under `Description` put *saap oidc* and click `Add`
+1. Go to `API permissions` and add the required Microsoft Graph API permissions. Typically, you need these permissions:
+    * `User.Read`
+    * `openid`
+    * `profile`
+    * `email`
+1. Click on the newly created app `saap`. Click `Certificates & secrets` from the left tab. Click `New client secret`. Under `Expires` pick any option. Under `Description` enter `saap oidc` and click `Add`:
 
     ![Certificates and Secrets](images/azure-ad-certificates-secrets.png)
 
-1. Copy the value of the newly created client secret and note the `Application (client) ID` and `Directory (tenant) ID` of the `saap` app registration from the `Overview` tab. **Send this to Stakater Support**
+1. Copy the value of the newly created client secret and note the `Application (client) ID` and `Directory (tenant) ID` of the `saap` app registration from the `Overview` tab. **Send this to Stakater Support**:
 
     ![Client-Tenant-ID](images/azure-ad-clientid-tenantid.png)
 
 ## Items provided by Stakater Support
 
-- `Redirect URIs`
+* `Redirect URIs`
 
 ## Items to be provided to Stakater Support
 
-- `Application (client) ID`
-- `Directory (tenant) ID`
-- `client Secret`
+Please provide the secrets via password manager:
+
+* `Application (client) ID`
+* `Directory (tenant) ID`
+* `client Secret`
diff --git a/content/for-administrators/secure-your-cluster/google-idp.md b/content/for-administrators/secure-your-cluster/google-idp.md
@@ -2,24 +2,25 @@
 
 To enable login with Google you first have to create a project and a client in the [Google Developer Console](https://console.cloud.google.com/project).
 
-1. Log in to the Google [Developer Console](https://console.cloud.google.com/project)
+1. Log in to the Google [Developer Console](https://console.cloud.google.com/project):
 
     ![Developer console](images/google-developer-console.png)
 
-1. Click the `Create Project` button. Use any value for `Project name` and `Project ID` you want, then click the `Create` button. Wait for the project to be created (this may take a while). Once created you will be brought to the project's dashboard.
+1. Click the `Create Project` button. Use any value for `Project name` and `Project ID` you want, then click the `Create` button. Wait for the project to be created - this may take a while. Once created you will be brought to the project's dashboard:
 
     ![Project Dashboard](images/google-dashboard.png)
 
-1. Google requires some basic information about the product before creating any secrets for it. For a new project, you have first to configure `OAuth consent screen`. Fill in `OAuth consent screen` details. Keep the **Application Type** `Internal`. Add the `email`, `profile` and `openid` in the allowed **Scopes**. Under **Authorized domains** add `kubeapp.cloud` along with any hosted domain(s) which you want to allow. e.g if Authorized domain is `xyz.com` then `[email protected]` will be allowed
-![Google OAuth consent screen](images/google-oauth-consent-screen.png)
+1. Google requires some basic information about the product before creating any secrets for it. For a new project, you have first to configure `OAuth consent screen`. Fill in `OAuth consent screen` details. Keep the **Application type** `Internal`. Add the `email`, `profile` and `openid` in the allowed **Scopes**. Under **Authorized domains** add `kubeapp.cloud` along with any hosted domains which you want to allow. For example, if Authorized domain is `xyz.com` then `[email protected]` will be allowed:
 
-1. Then navigate to the `APIs & Services` section in the Google Developer Console. On that screen, navigate to `Credentials` administration. select `OAuth client ID` under the `Create credentials` button.
+    ![Google OAuth consent screen](images/google-oauth-consent-screen.png)
 
-1. You will then be brought to the `Create OAuth client ID` page. Select `Web application` as the application type. Specify the name you want for your client. In `Redirect URI` (**This will be provided by Stakater Support**) click the Create button.
+1. Then navigate to the `APIs & Services` section in the Google Developer Console. On that screen, navigate to `Credentials` administration. Select `OAuth client ID` under the `Create credentials` button.
+
+1. You will then be brought to the `Create OAuth client ID` page. Select `Web application` as the application type. Specify the name you want for your client. Enter the `Authorized redirect URIs` that **Stakater Support provides**, then click the `Create` button:
 
     ![Google OAuth screen](images/google-create-oauth-id.png)
 
-1. After you click Create you will be brought to the `Credentials` page. Click on your new OAuth 2.0 Client ID to view the settings of your new Google Client. You will need to obtain the `client ID` and `secret` **Send these to Stakater Support**.
+1. After you click `Create` you will be brought to the `Credentials` page. Click on your new `OAuth 2.0 Client ID` to view the settings of your new Google Client. You will need to provide the `Client ID` and `Client secret` to Stakater, **send these to Stakater Support**:
 
     ![client-id-scret](images/google-client-id-secret.png)
 

diff --git a/...developers/how-to-guides/build-and-push-your-image/build-and-push-your-image.md b/...developers/how-to-guides/build-and-push-your-image/build-and-push-your-image.md
@@ -58,12 +58,12 @@
 
 1. Open Nexus UI from Forecastle. Upon opening the link, you'll be redirected to Nexus home page.
 
-   ![`nexus-Forecastle`](../images/nexus-forecastle.png)
-   ![`nexus-homepage`](../images/nexus-homepage.png)
+    ![`nexus-Forecastle`](../images/nexus-forecastle.png)
+    ![`nexus-homepage`](../images/nexus-homepage.png)
 
 1. Select `Browse` from the left sidebar, Click on `docker` to view your Container Image Registry.
 
-   ![`nexus-browse-docker`](../images/nexus-browse-docker.png)
+    ![`nexus-browse-docker`](../images/nexus-browse-docker.png)
 
 1. Verify that the image you pushed is present in the list.
 

diff --git a/...lopers/how-to-guides/package-and-push-your-chart/package-and-push-your-chart.md b/...lopers/how-to-guides/package-and-push-your-chart/package-and-push-your-chart.md
@@ -22,7 +22,7 @@ Alternatively, Navigate to the cluster Forecastle, search `nexus` using the sear
 
 - `nexus-helm-reg-url` : Add `-helm` in URL after `nexus` and append `/repository/helm-charts/`. This URL points to Helm Registry referred as `nexus-helm-reg-url` in this tutorial for example `https://nexus-helm-stakater-nexus.apps.clustername.random123string.kubeapp.cloud/repository/helm-charts/`
 
-  ![nexus-Forecastle](../images/nexus-forecastle.png)
+    ![nexus-Forecastle](../images/nexus-forecastle.png)
 
 ### Package and Upload the chart to Nexus
 
@@ -45,12 +45,12 @@ Alternatively, Navigate to the cluster Forecastle, search `nexus` using the sear
 
 1. Open Nexus UI from Forecastle. Upon opening the link, you'll be redirected to Nexus home page.
 
-   ![`nexus-Forecastle`](../images/nexus-forecastle.png)
-   ![`nexus-homepage`](../images/nexus-homepage.png)
+    ![`nexus-Forecastle`](../images/nexus-forecastle.png)
+    ![`nexus-homepage`](../images/nexus-homepage.png)
 
 1. Select `Browse` from the left sidebar, Click on `Helm Charts` to view your Helm Registry Charts.
 
-   ![`nexus-browse-helm`](../images/nexus-browse-helm.png)
+    ![`nexus-browse-helm`](../images/nexus-browse-helm.png)
 
 1. Verify that the chart you uploaded is present in the list.
 

diff --git a/content/for-developers/tutorials/inner-loop/about-application/about-application.md b/content/for-developers/tutorials/inner-loop/about-application/about-application.md
@@ -6,7 +6,7 @@ Welcome to the Nordmart Review 101 guide! In this section, we'll explore the arc
 
 The Nordmart Review is designed with a modular architecture that consists of three crucial components, each playing a unique role in delivering an exceptional user experience:
 
-<div style="text-align:center"><img src="images/nordmart-architecture.png" /></div>
+![Nordmart architecture](images/nordmart-architecture.png)
 
 ### Review UI
 

diff --git a/content/for-developers/tutorials/inner-loop/scale-app/scale-app.md b/content/for-developers/tutorials/inner-loop/scale-app/scale-app.md
@@ -38,7 +38,7 @@ Welcome to this tutorial on utilizing Horizontal Pod Autoscaler (HPA) in SAAP to
 
     It should look like this:
 
-   ![autoscaling values](images/autoscaling-yaml.png)
+    ![autoscaling values](images/autoscaling-yaml.png)
 
 1. Save and run `tilt up` at the root of your directory. Hit the space bar and the browser with `TILT` logs will be shown. If everything is green then the changes will be deployed on the cluster.
 
@@ -59,20 +59,20 @@ Welcome to this tutorial on utilizing Horizontal Pod Autoscaler (HPA) in SAAP to
 1. While this is running, we should see in SAAP, the autoscaler is kicking in and spinning up additional pods.  Open the `Workloads` tab. At the very bottom, you will see HorizontalPodAutoScalar. Open the review HPA. You will see the below screen
     Notice the CPU utilization and desired replica count. It has jumped!
 
-   ![scale-up](./images/scale-up.png)
+    ![scale-up](./images/scale-up.png)
 
 1. If you navigate to the review deployment, you should see the replica count has jumped and so have the number of pods.
 
-   ![HPA-deployment](images/deployment-after-autoscale.png)
+    ![HPA-deployment](images/deployment-after-autoscale.png)
 
-   ![replicas-HPA](images/pods-hpa.png)
+    ![replicas-HPA](images/pods-hpa.png)
 
 1. Now let's wait for a couple of minutes for the load to ease. Navigate back to the `review` HorizontalPodAutoscaler. You will see that the CPU utilization and desired replicas have started going down.
 
-   ![scale-down](./images/back-to-before-hpa.png)
+    ![scale-down](./images/back-to-before-hpa.png)
 
 1. Go to the review deployment, you will see that it has brought the pods down (Or is trying to decrease the number of pods)
 
-   ![scale-down](images/back-to-one-pod.png)
+    ![scale-down](images/back-to-one-pod.png)
 
 WELL DONE!! YOU NOW HAVE AUTO SCALING WITH YOUR APPLICATION!!
diff --git a/content/for-developers/tutorials/outer-loop/add-ci-pipeline/03-create-webhook.md b/content/for-developers/tutorials/outer-loop/add-ci-pipeline/03-create-webhook.md
@@ -19,15 +19,15 @@ The webhook setup acts as a bridge between your code repository and the CI/CD pi
 
 1. Begin by accessing the repository where you plan to set up the webhook. In your source code GitHub repository, locate and click on the `Settings` tab.
 
-     ![Repository settings](images/repository-settings.png)
+    ![Repository settings](images/repository-settings.png)
 
 1. Within the repository settings, navigate to the `Webhooks` section. This is where you can manage and configure webhooks for your repository.
 
-     ![Webhook](images/webhook.png)
+    ![Webhook](images/webhook.png)
 
 1. Click on the option to `Add a new webhook` to initiate the process of creating a new webhook for your repository.
 
-     ![Webhook](images/add-webhook.png)
+    ![Webhook](images/add-webhook.png)
 
 1. To set up the webhook, you'll need the `URL of the pipeline-as-code interceptor`. This URL is used to connect GitHub with your SAAP's pipeline system.
 
@@ -68,25 +68,25 @@ The webhook setup acts as a bridge between your code repository and the CI/CD pi
 
 1. Access Vault from `Forecastle` console, search `Vault` and open the `Vault` tile.
 
-     <div style="text-align:center"><img src="images/forecastle.png" /></div>
+    ![Forecastle](images/forecastle.png)
 
 1. From the drop-down menu under `Method`, select `OIDC` and click on `Sign in with OIDC Provider`.
 
-     <div style="text-align:center"><img src="images/login-oidc.png" /></div>
+    ![login-oidcs](images/login-oidc.png)
 
 1. You will be brought to the `Vault` console. You should see the key/value path for <your-tenant>.
 
-     <div style="text-align:center"><img src="images/vault-tenant.png" /></div>
+    ![Vault tenant](images/vault-tenant.png)
 
 1. Click on `<your-tenant>/kv/`.
 
 1. You will now be brought to the `secrets` and the `configurations` in Vault for <your-tenant>. Click on `create secret`.
 
-     <div style="text-align:center"><img src="images/create-secret.png" /></div>
+    ![create-secret](images/create-secret.png)
 
 1. Let's create a `github-webhook-config` secret for our webhook secret. Write the name of the secret in `path` which is `github-webhook-config`. Add `secret data`, key: `webhook.secret`, value: (your webhook secret). Hit save.
 
-     <div style="text-align:center"><img src="images/webhook-secret.png" /></div>
+    ![webhook secret](images/webhook-secret.png)
 
 ### Add External Secret
 
@@ -101,41 +101,41 @@ The webhook setup acts as a bridge between your code repository and the CI/CD pi
 1. Create a file named `github-webhook-config.yaml` and add in the below content. Replace the Url with your application repository's Url.
 
     ```yaml
-       apiVersion: external-secrets.io/v1beta1
-       kind: ExternalSecret
-       metadata:
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+    name: github-webhook-config
+    spec:
+    secretStoreRef:
+         name: tenant-vault-secret-store
+         kind: SecretStore
+    refreshInterval: "1m0s"
+    target:
          name: github-webhook-config
-       spec:
-         secretStoreRef:
-           name: tenant-vault-secret-store
-           kind: SecretStore
-         refreshInterval: "1m0s"
-         target:
-           name: github-webhook-config
-           creationPolicy: 'Owner'
-           template:
-             data:
-               provider.token: "{{ .password | toString }}"
-               webhook.secret: "{{ .secret | toString }}"
+         creationPolicy: 'Owner'
+         template:
          data:
-           - secretKey: password
-             remoteRef:
-               key: github-webhook-config
-               property: provider.token
-           - secretKey: secret
-             remoteRef:
-               key: github-webhook-config
-               property: webhook.secret
+         provider.token: "{{ .password | toString }}"
+         webhook.secret: "{{ .secret | toString }}"
+    data:
+         - secretKey: password
+         remoteRef:
+         key: github-webhook-config
+         property: provider.token
+         - secretKey: secret
+         remoteRef:
+         key: github-webhook-config
+         property: webhook.secret
     ```
 
-     <div style="text-align:center"><img src="images/github-webhook-config-es.png" /></div>
+    ![GitHub-webhook-config-es](images/github-webhook-config-es.png)
 
 1. Now open up ArgoCD and look for this External Secret. If everything was added correctly, you will see a secret created from this External Secret.
 
-     <div style="text-align:center"><img src="images/github-webhook-config-argo.png" /></div>
+    ![GitHub-webhook-config-argo](images/github-webhook-config-argo.png)
 
 1. You can also check this secret by navigation to `<tenant>-build` namespace and searching for the secret.
 
-     <div style="text-align:center"><img src="images/github-webhook-config-secret.png" /></div>
+    ![GitHub-webhook-config-secret](images/github-webhook-config-secret.png)
 
 Great! We have everything set up for creating the Repository CR.
diff --git a/...ent/for-developers/tutorials/outer-loop/add-ci-pipeline/05-create-repository.md b/...ent/for-developers/tutorials/outer-loop/add-ci-pipeline/05-create-repository.md
@@ -40,7 +40,7 @@ In this tutorial, you'll create secrets containing your GitHub access credential
         name: "github-webhook-config"
     ```
 
-   ![repository](images/repository.png)
+    ![repository](images/repository.png)
 
 Once you add these two files to the repository at the correct path, you can see that ArgoCD has deployed them to the cluster.
 

diff --git a/content/for-developers/tutorials/outer-loop/add-ci-pipeline/06-adding-pipeline.md b/content/for-developers/tutorials/outer-loop/add-ci-pipeline/06-adding-pipeline.md
@@ -35,9 +35,9 @@ Let's walk you through creating a Tekton `PipelineRun` using a `Pipeline-as-Code
 
 1. You can go to your tenant's build namespace and see the pipeline running.
 
-   ![git-clone](images/git-clone.png)
+    ![git-clone](images/git-clone.png)
 
-   ![git-clone-logs](images/git-clone-logs.png)
+    ![git-clone-logs](images/git-clone-logs.png)
 
 ### Exploring the Git Clone Task