I am trying to call MSI from the container on a VM inside a service fabric cluster. I am able to get the token from the host using:
Invoke-WebRequest -Uri http://localhost:50342/oauth2/token -Method GET -Body #{resource="https://management.azure.com/"} -Headers #{Metadata="true"}
However, when I try to invoke the same service from the container using the IP address of the Gateway it doesn't work. Is there a feature on MSI roadmap to support containers in the VM host machine?
Related
I want to deploy Identity Server 4 on Kubernetes 1.8, and use this as a Federation Gateway between my web application and Azure Active Directory (to begin with).
If I call Identity Server from my web application using the local k8s service name, my users are redirected to the wrong Identity Server URL (containing the local k8s service name) during Sign in which clearly won't work. We are using an implicit flow.
I therefore setup a Azure Load balancer with dns name and configured Identity Server to be externally accessible with the domain name as the PublicOrigin URL.
However, my web application which runs in the same cluster cannot access Identity Server using the external URL of the Identity Server (discovery fails).
If I run Identity Server on another Kubernetes cluster then everything works fine.
My question is:
How do you properly deploy Identity Server in Kubernetes? Do I really need another Kubernetes cluster?
Note: I am using Kubernetes on Azure created with ACS engine (because we have mixed windows and linux containers).
I'm using AKS (Azure managed kubernetes) and have a single client asp.net core 2 web app in the same cluster as my IS4 service with no issues. Both webapps are fronted by Nginx with kube-lego for LetsEncrpyt TLS support, and DNS is provided by Azure DNS.
I'm not using the PublicOrigin but instead the client app's Authority (in the openidconnect setup) uses the full (external Azure) DNS name of the IS4 service. You can use PublicOrigin if you want to use the cluster service naming from your clients
Sometimes, our clients requests firewall rules for their web servers connect to a certain URL but it turns out that the URL's IP address is dynamic, so we resort to using the proxy. One way that we use to test the proxy rules is to pull up the web servers' browser e.g. IE then set it up to use our proxy server then hit the URL on the browser. Our clients have a lot of web servers that we host so we would like to automate the testing part. Any ideas on doing it using PowerShell?
I'm not sure if it does what you want. But the is code which I found some days ago:
$secPasswd=ConvertTo-SecureString "password" -AsPlainText -Force
$myCreds=New-Object System.Management.Automation.PSCredential -ArgumentList "Domain\name",$secPasswd
$Site="http://www.google.com"
$Test=Invoke-WebRequest -URI $Site -Proxy 'http://ipadress:port' -ProxyCredential $mycreds
$Test.StatusDescription
This article shows to how to secure the service fabric cluster in the Azure:
https://azure.microsoft.com/en-us/documentation/articles/service-fabric-visualstudio-configure-secure-connections/
But it makes no references as to how to configure developer's machine for the same. I tried to apply the same principles in the above link to see if I can make it work. It always fails to deploy services locally but works like a charm when I publish them to azure's service fabric cluster. If I remove the secure bindings, I can deploy services to local cluster successfully. But this becomes tedious whenever I want to publish the services to the azure's secure cluster.
Does any one have an idea as to how to go about creating a secure service fabric cluster on developer's machine?
I am using Service Fabric version 5.5.216.0 and it seems to be working. Run powershell command:
PS C:\Program Files\Microsoft SDKs\Service Fabric\ClusterSetup> .\DevClusterSetup.ps1 -PathToClusterDataRoot "C:\SfDevCluster\Data" -PathToClusterLogRoot "C:\SfDevCluster\Log" -AsSecureCluster
Then, open IE to browse "https://localhost:19080/Explorer/". You will see a popup asking you to choose which client certificate to connect. Use the one with name 'ServiceFabricDevClusterCert'. Chrome didn't work for me as it failed directly with no useful warning. Maybe somewhere in chrome I should enable popup window?
I am developing a PowerShell script that uses HTTP to access REST services. For debugging purposes I want to redirect all HTTP traffic created by that script through a local proxy (Fiddler).
What I don't want to is to set Fiddler as system wide proxy in IE/ Windows internet settings as this would redirect the traffic of my whole system through Fiddler (especially because Fiddler decrypts SSL/TLS traffic).
How do I set a proxy that affects only one WebClient instance or only the PowerShell?
Use the WebProxy class and instantiate it with the address to Fiddler (listens on port 8888 by default):
$FiddlerWP = New-Object System.Net.WebProxy "http://127.0.0.1:8888"
$WebClient = New-Object System.Net.WebClient
$WebClient.Proxy = $FiddlerWP
# This request will now get proxied through Fiddler
$WebClient.DownloadString("https://test.site.example")
Am I missing something here?
Does new-webserviceproxy not support proxy credentials?
Corporate environments invariably use proxy servers to talk to the rest of the web and I can't seem to get new-webserviceproxy to talk through ours. I get a 407 proxy authentication required error in return - the credentials argument is for credentials to the webservice not for the proxy.
Unfortunately, this cmdlet has no support for proxy credentials. You may want to try using the code posted here by Lee.
http://www.leeholmes.com/blog/2007/02/28/calling-a-webservice-from-powershell/
He uses NET.WebClient namespace and hence it is possible to add proxy credentials to the connect-WebService code.