Skip to content

Commit

Permalink
Azure OIDC accounts (#2004)
Browse files Browse the repository at this point in the history
Co-authored-by: Steve Fenton <[email protected]>
Co-authored-by: Henrik Andersson <[email protected]>
  • Loading branch information
3 people authored Nov 1, 2023
1 parent da9ada2 commit 991615d
Show file tree
Hide file tree
Showing 5 changed files with 366 additions and 78 deletions.
3 changes: 3 additions & 0 deletions dictionary-octopus.txt
Original file line number Diff line number Diff line change
Expand Up @@ -32,13 +32,16 @@ octopusvariable
Octostache
OIDC
onlylogs
passout
pkcs
reprioritize
reprovisioned
reprovisioning
Runbook
runbook
runbooks
Schannel
signingkeys
sthumb
swaggerui
systemprofile
Expand Down
8 changes: 4 additions & 4 deletions src/pages/docs/deployments/azure/ase/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@ Given that you can't access the app, or its management endpoint (Kudu), from the

Contained in the publish profile is the URI of the deployment endpoint (Kudu) for the web app. This is the critical piece here.

For an external ASE that URI will be publicly accessible (e.g. https://yourapp.scm.aseName.p.azurewebsites.net).
For an external ASE that URI will be publicly accessible (e.g. https://your-app.scm.aseName.p.azurewebsites.net).

For an internal ASE the URI will not be publicly accessible, it will be something like https://yourapp.scm.yourdomain This is where the deployments will fail, they will be able to see all of the other Urls required but when they get to step 6 Octopus won't be able to resolve the address for the URI.
For an internal ASE the URI will not be publicly accessible, it will be something like `https://your-app.scm.your-domain` This is where the deployments will fail, they will be able to see all of the other Urls required but when they get to step 6 Octopus won't be able to resolve the address for the URI.

To fix that you need 2 things to happen. First, the network the Octopus Server is on has to be connected to the ASE's VNet, e.g. using ExpressRoute or a VPN. Second, the Octopus Server needs to be able to resolve `yourapp.scm.yourdomain` to the Internal Load Balancer IP address of your Azure ILB (found in the **IP addresses** for the ASE in the Azure portal), e.g. through DNS configuration.
To fix that you need 2 things to happen. First, the network the Octopus Server is on has to be connected to the ASE's VNet, e.g. using ExpressRoute or a VPN. Second, the Octopus Server needs to be able to resolve `your-app.scm.your-domain` to the Internal Load Balancer IP address of your Azure ILB (found in the **IP addresses** for the ASE in the Azure portal), e.g. through DNS configuration.

Exactly how to do those 2 things will depend on your organization, what infrastructure you might already have in place and is beyond the scope of this guide.

Expand All @@ -42,7 +42,7 @@ Usually when you create a web app in Azure its name must be unique. This isn't t

This is the reason why you see a resource group and a web app name when using binding on the Octopus Web App step, we need the resource group to differentiate web apps with the same name. When you aren't using binding the drop down list is doing this too behind the scenes.

This is also why using a [principal of least privilege on a Service Principal](/docs/infrastructure/accounts/azure/#note_on_lease_privilege) is a little complicated.
This is also why using a [principal of least privilege on a Service Principal](/docs/infrastructure/accounts/azure/#note_on_least_privilege) is a little complicated.

## Learn more

Expand Down
Loading

0 comments on commit 991615d

Please sign in to comment.