Fix secrets creation for AAD applications

Dockerfile.shared-rp

@@ -4,7 +4,7 @@ FROM registry.access.redhat.com/ubi8/toolbox:8.10
 USER root 
 
 RUN dnf install https://packages.microsoft.com/config/rhel/8/packages-microsoft-prod.rpm -y \
-    && dnf install jq azure-cli make -y \
+    && dnf install jq azure-cli make openssl -y \
     && dnf clean all -y
 
 # Copy the Go Modules manifests for detecting Go version

docs/prepare-a-shared-rp-development-environment.md

@@ -156,8 +156,15 @@ PREFIX=aro-v4-e2e
 1. Create an AAD application which will fake up the RP identity.
 
    ```bash
-   AZURE_RP_CLIENT_SECRET="$(uuidgen)"
-   AZURE_RP_CLIENT_ID="$(az ad app create --display-name ${PREFIX}-rp-shared --end-date '2299-12-31T11:59:59+00:00' --key-type Password --key-value "$AZURE_RP_CLIENT_SECRET" --query appId -o tsv)"
+   AZURE_RP_CLIENT_SECRET="$(openssl rand -base64 32)"
+   AZURE_RP_CLIENT_ID="$(az ad app create \
+      --display-name ${PREFIX}-rp-shared \
+      --end-date '2299-12-31T11:59:59+00:00' \
+      --key-type Symmetric \
+      --key-usage Sign \
+      --key-value "$AZURE_RP_CLIENT_SECRET" \
+      --query appId \
+      -o tsv)"
    az ad sp create --id "$AZURE_RP_CLIENT_ID" >/dev/null
    ```
 
@@ -170,12 +177,13 @@ PREFIX=aro-v4-e2e
 1. Create an AAD application which will fake up the gateway identity.
 
    ```bash
-   AZURE_GATEWAY_CLIENT_SECRET="$(uuidgen)"
+   AZURE_GATEWAY_CLIENT_SECRET="$(openssl rand -base64 32)"
    AZURE_GATEWAY_CLIENT_ID="$(az ad app create \
      --display-name ${PREFIX}-gateway-shared \
      --end-date '2299-12-31T11:59:59+00:00' \
-     --key-type password \
-     --password "$AZURE_GATEWAY_CLIENT_SECRET" \
+     --key-type Symmetric \
+     --key-usage Sign \
+     --key-value "$AZURE_GATEWAY_CLIENT_SECRET" \
      --query appId \
      -o tsv)"
    az ad sp create --id "$AZURE_GATEWAY_CLIENT_ID" >/dev/null
@@ -184,12 +192,13 @@ PREFIX=aro-v4-e2e
 1. Create an AAD application which will be used by E2E and tooling.
 
    ```bash
-   AZURE_CLIENT_SECRET="$(uuidgen)"
+   AZURE_CLIENT_SECRET="$(openssl rand -base64 32)"
    AZURE_CLIENT_ID="$(az ad app create \
      --display-name ${PREFIX}-tooling-shared \
      --end-date '2299-12-31T11:59:59+00:00' \
-     --key-type password \
-     --password "$AZURE_CLIENT_SECRET" \
+     --key-type Symmetric \
+     --key-usage Sign \
+     --key-value "$AZURE_CLIENT_SECRET" \
      --query appId \
      -o tsv)"
    az ad sp create --id "$AZURE_CLIENT_ID" >/dev/null
@@ -200,18 +209,39 @@ PREFIX=aro-v4-e2e
    - `Contributor` on your subscription.
    - `User Access Administrator` on your subscription.
 
-   You must also manually grant this application the `Microsoft.Graph/Application.ReadWrite.OwnedBy` permission, which requires admin access, in order for AAD applications to be created/deleted on a per-cluster basis.
-
-   - Go into the Azure Portal
-   - Go to Azure Active Directory
-   - Navigate to the `aro-v4-tooling-shared` app registration page
-   - Click 'API permissions' in the left side pane
-   - Click 'Add a permission'.
-   - Click 'Microsoft Graph'
-   - Select 'Application permissions'
-   - Search for 'Application' and select `Application.ReadWrite.OwnedBy`
-   - Click 'Add permissions'
-   - This request will need to be approved by a tenant administrator. If you are one, you can click the `Grant admin consent for <name>` button to the right of the `Add a permission` button on the app page
+1. Add and grant `Microsoft.Graph/Application.ReadWrite.OwnedBy` permission.
+   It requires admin access in order for AAD applications to be created/deleted on a per-cluster basis.
+
+   ```bash
+   local ms_graph_sp_api_id="00000003-0000-0000-c000-000000000000"
+   local permission_id="$(az ad sp show \
+      --id $ms_graph_sp_api_id \
+      --query "appRoles" \
+      -o jsonc | jq -r '.[] | select(.value=="Application.ReadWrite.OwnedBy") | .id')"
+   local app_premission_info="$(az ad app permission list --id fb194a8e-da8a-4b15-8c1e-ef49b98987dc 2>/dev/null)" 
+   az ad app permission add \
+      --id $AZURE_CLIENT_ID \
+      --api $ms_graph_sp_api_id \
+      --api-permissions $permission_id=Role
+   az ad app permission grant \
+      --id $AZURE_CLIENT_ID \
+      --api $ms_graph_sp_api_id
+   # Only an admin can consent the new premission
+   az ad app permission admin-consent \
+      --id $AZURE_CLIENT_ID
+   ```
+
+   Or manuel way
+      - Go into the Azure Portal
+      - Go to Azure Active Directory
+      - Navigate to the `aro-v4-tooling-shared` app registration page
+      - Click 'API permissions' in the left side pane
+      - Click 'Add a permission'.
+      - Click 'Microsoft Graph'
+      - Select 'Application permissions'
+      - Search for 'Application' and select `Application.ReadWrite.OwnedBy`
+      - Click 'Add permissions'
+      - This request will need to be approved by a tenant administrator. If you are one, you can click the `Grant admin consent for <name>` button to the right of the `Add a permission` button on the app page
 
 1. Set up the RP role definitions and subscription role assignments in your Azure subscription. The usage of "uuidgen" for fpRoleDefinitionId is simply there to keep from interfering with any linked resources and to create the role net new. This mimics the RBAC that ARM sets up. With at least `User Access Administrator` permissions on your subscription, do:
 

hack/devtools/rp_dev_helper.sh

@@ -34,6 +34,35 @@ get_digest_tag() {
     echo "$IMAGE_TAG"
 }
 
+check_deployment() {
+    err_str="Usage $0 <RESOURCE_GROUP> <DEPLOYMENT_NAME>. Please try again"
+    local resource_group=${1?$err_str}
+    local deployment_name=${2?$err_str}
+
+    # Check if the ResourceGroup exists
+    resource_group_info=$(az group show --resource-group "${resource_group}" 2>/dev/null)
+    if [ -z "${resource_group_info}" ]; then
+        log "🔴❌📦 Resource group '${resource_group}' does not exist."
+        return 1
+    fi
+
+    # Check if the deployment exists
+    deployment_info=$(az deployment group show --resource-group "${resource_group}" --name "${deployment_name}" 2>/dev/null)
+    if [ -z "${deployment_info}" ]; then
+        log "🔴❌📦 Deployment '${deployment_name}' does not exist in resource group '${resource_group}'."
+        return 1
+    fi
+    # Check if the provisioning state is 'Succeeded'
+    # check_jq_installed - Might not needed
+    provisioning_state=$(jq -r '.properties.provisioningState' <<< "${deployment_info}")
+    if [[ "${provisioning_state}" == "Succeeded" ]]; then
+        log "🟢📦 Deployment '${deployment_name}' in resource group '${resource_group}' has been provisioned successfully."
+    else
+        log "🔴📦 Deployment '${deployment_name}' in resource group '${resource_group}' has not been provisioned successfully. Current state: ${provisioning_state}"
+        return 1
+    fi
+}
+
 # Example usage
 # get_digest_tag "FluentbitImage"
 # copy_digest_tag "<PULL_SECRET>" "src_acr_name" "dst_acr_name" "$(get_digest_tag FluentbitImage)"

hack/rp-dev/shared_rp_deploy.sh

@@ -12,6 +12,8 @@ main () {
     local parent_domain_resourcegroup="global-infra-${prefix}" # usually dns
     source hack/devtools/rp_dev_helper.sh
     echo -e "#### Running Shared RP Automation in Container ####\n"
+    export AAD_PREFIX="aro-v4-${prefix}"
+    # clean_aad_applications
     prerequisites ${secret_sa_account_name} ${prefix} ${location} ${parent_domain_resourcegroup}
 
     # Should we use e2esecretstorage or  rharosecretsdev?
@@ -24,10 +26,7 @@ main () {
     # proxy hostname will be of the form vm0.$PROXY_DOMAIN_NAME_LABEL.$LOCATION.cloudapp.azure.com.
     env_file ${secret_sa_account_name} ${parent_domain_resourcegroup} ${resourcegroup_prefix} ${proxy_domain_name_label}
     ls secrets/*
-    # ls secrets/vpn-*.ovpn
 }
 
 main "$@"
 # cleanup
-# az ad sp delete --id 12d31286-4cf3-40f7-851a-e562c6043f82 && az ad sp delete --id 8df991ab-b3b9-4a5d-a940-0b34e50a8310
-# az ad app delete --id 18f90d02-dea2-4495-9db8-3832898ebb11 && az ad app delete --id ef71dbb7-7f74-4723-a6b7-c4d945992d69