From 670c212c4c587b93e85af86143a209e3f5386646 Mon Sep 17 00:00:00 2001
From: Michael O'Brien <michael@obrienlabs.org>
Date: Mon, 12 Nov 2018 18:46:46 -0500
Subject: azure oom k8s install security update

Change-Id: I4ff48d3e13144d533c23839a73583b9ab3ec180f
Issue-ID: LOG-321
Signed-off-by: Michael O'Brien <michael@obrienlabs.org>
---
 deploy/azure/_arm_deploy_onap_cd.json              | 66 +++-------------------
 deploy/azure/_arm_deploy_onap_cd_z_parameters.json |  8 +--
 deploy/azure/oom_deployment.sh                     |  4 +-
 3 files changed, 14 insertions(+), 64 deletions(-)

diff --git a/deploy/azure/_arm_deploy_onap_cd.json b/deploy/azure/_arm_deploy_onap_cd.json
index de3d5a0..4a8d6b0 100644
--- a/deploy/azure/_arm_deploy_onap_cd.json
+++ b/deploy/azure/_arm_deploy_onap_cd.json
@@ -19,11 +19,15 @@
          "Standard_E2_v3",
          "Standard_D1",
          "Standard_D4_v3",
+         "Standard_D4s_v3",
          "Standard_D8S_v3",
          "Standard_D32s_v3",
+         "Standard_D64s_v3",
          "Standard_D16s_v3",
          "Standard_E16_v3",
-         "Standard_E64_v3"],
+         "Standard_F8s_v2",
+         "Standard_E64_v3",
+         "Standard_E64s_v3"],
          "metadata": { "description": "VM size" }}
     },
   "variables": {
@@ -61,53 +65,11 @@
       "tags": { "displayName": "NSG" },
       "properties": {
       "securityRules": [
-        {
-          "name": "port_10249-10255_172",
-          "properties": {
-            "description": "port_10249-10255_172",
-            "protocol": "*",
-            "sourcePortRange": "*",
-            "destinationPortRange": "10249-10255",
-            "sourceAddressPrefix": "172.17.0.1/32",
-            "destinationAddressPrefix": "*",
-            "access": "Allow",
-            "priority": 120,
-            "direction": "Inbound"
-            }
-        },
-        {
-          "name": "port_10249-10255_127",
-          "properties": {
-            "description": "port_10249-10255_127",
-            "protocol": "*",
-            "sourcePortRange": "*",
-            "destinationPortRange": "10249-10255",
-            "sourceAddressPrefix": "127.0.0.1/32",
-            "destinationAddressPrefix": "*",
-            "access": "Allow",
-            "priority": 122,
-            "direction": "Inbound"
-            }
-        },
-        {
-          "name": "Port_10249-10255-block",
-          "properties": {
-            "description": "Port_10249-10255-block",
-            "protocol": "Tcp",
-            "sourcePortRange": "*",
-            "destinationPortRange": "10249-10255",
-            "sourceAddressPrefix": "Internet",
-            "destinationAddressPrefix": "*",
-            "access": "Deny",
-            "priority": 130,
-            "direction": "Inbound"
-            }
-        },
         {
           "name": "in-rule",
           "properties": {
             "description": "All in",
-            "protocol": "Tcp",
+            "protocol": "Any",
             "sourcePortRange": "*",
             "destinationPortRange": "*",
             "sourceAddressPrefix": "Internet",
@@ -117,25 +79,11 @@
             "direction": "Inbound"
             }
         },
-       {
-          "name": "block-8080",
-          "properties": {
-            "description": "block-8080",
-            "protocol": "Tcp",
-            "sourcePortRange": "8080",
-            "destinationPortRange": "*",
-            "sourceAddressPrefix": "Internet",
-            "destinationAddressPrefix": "*",
-            "access": "Deny",
-            "priority": 104,
-            "direction": "Outbound"
-            }
-          },
         {
           "name": "out-rule",
           "properties": {
             "description": "All out",
-            "protocol": "Tcp",
+            "protocol": "Any",
             "sourcePortRange": "*",
             "destinationPortRange": "*",
             "sourceAddressPrefix": "Internet",
diff --git a/deploy/azure/_arm_deploy_onap_cd_z_parameters.json b/deploy/azure/_arm_deploy_onap_cd_z_parameters.json
index 19ebd8b..653d028 100644
--- a/deploy/azure/_arm_deploy_onap_cd_z_parameters.json
+++ b/deploy/azure/_arm_deploy_onap_cd_z_parameters.json
@@ -5,12 +5,12 @@
       "scriptURL": { "value": "https://git.onap.org/logging-analytics/plain/deploy/rancher/oom_entrypoint.sh"},
       "onapBranch": { "value": "master" },
       "onapEnvironment": { "value": "onap"},
-      "vmName": { "value": "a-replace-this-0" },
+      "vmName": { "value": "replace-this" },
       "sshKeyData": {
-      "value": "ssh-rsa AA-add-your-public-key-obrienbiometrics"
+      "value": "ssh-rsa AAA-your-key yourmail@mail"
       },
-      "dnsLabelPrefix": { "value": "replacethis0" },
-      "vmSize": { "value": "Standard_D32s_v3" },
+      "dnsLabelPrefix": { "value": "replace-this-as-well" },
+      "vmSize": { "value": "Standard_E64s_v3" },
       "scriptName": { "value": "oom_entrypoint.sh"},
       "osType": { "value": "Linux" },
       "adminUsername": { "value": "ubuntu"}
diff --git a/deploy/azure/oom_deployment.sh b/deploy/azure/oom_deployment.sh
index 3c4196c..6093563 100755
--- a/deploy/azure/oom_deployment.sh
+++ b/deploy/azure/oom_deployment.sh
@@ -25,8 +25,10 @@
 # Amsterdam
 #     Rancher 1.6.10, Kubernetes 1.7.7, Kubectl 1.7.7, Helm 2.3.0, Docker 1.12
 # master
-#     Rancher 1.6.14, Kubernetes 1.8.6, Kubectl 1.8.6, Helm 2.6.1, Docker 17.03
+#     Rancher 1.6.22, Kubernetes 1.11.2, Kubectl 1.11.2, Helm 2.9.2, Docker 17.03
 # run as root - because of the logout that would be required after the docker user set
+# 10249-10255 security is provided by rancher oauth via github - use this instead of port level control in the NSG
+# https://wiki.onap.org/display/DW/Cloud+Native+Deployment#CloudNativeDeployment-Security
 usage() {
 cat <<EOF
 Usage: $0 [PARAMs]
-- 
cgit 1.2.3-korg