diff --git a/bicep/main.bicep b/bicep/main.bicep index 20eb8a7f..9aa075f7 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -22,9 +22,6 @@ param cmekConfiguration object = { identityId: '' } -// @description('Optional: Specify the AD Users and/or Groups that can manage the cluster.') -// param clusterAdminIds array = [] - //*****************************************************************// // Common Section // @@ -1654,13 +1651,21 @@ module configMap './modules/aks_configmap.bicep' = if (enableConfigMap) { namespace: 'default' dataMap: [ { - key: 'keyvault' - value: keyvault.outputs.name + key: 'tenant' + value: subscription().tenantId + } + { + key: 'subscription' + value: subscription().subscriptionId } { key: 'clientId' value: appIdentity.outputs.clientId } + { + key: 'keyvault' + value: keyvault.outputs.name + } ] } dependsOn: [ @@ -1668,25 +1673,32 @@ module configMap './modules/aks_configmap.bicep' = if (enableConfigMap) { keyvault ] } -// var configmapValues = '--from-literal=keyvault={1} --from-literal=clientId={2}' -// module configMap './modules/aks-run-command/main.bicep' = if (enableConfigMap) { -// name: '${serviceLayerConfig.name}-cluster-configmap' -// params: { -// aksName: cluster.outputs.aksClusterName -// location: location -// commands: [ -// format( -// 'kubectl create configmap app-config {0} -n default --save-config', -// format(configmapValues, keyvault.outputs.name, appIdentity.outputs.clientId) -// ) -// ] -// cleanupPreference: 'Always' -// } -// dependsOn: [ -// cluster -// keyvault -// ] -// } + +module workloadIdentityValues './modules/aks_configmap.bicep' = if (enableConfigMap) { + name: '${serviceLayerConfig.name}-configmap-dev-sample' + params: { + cluster: cluster.outputs.aksClusterName + location: location + name: 'workload-identity-values' + namespace: 'default' + dataMap: [ + { + key: 'values.yaml' + value: format(''' +azureWorkloadIdentity: + clientId: '{0}' + tenantId: '{1}' +''', appIdentity.outputs.clientId, subscription().tenantId) + } + ] + } + dependsOn: [ + cluster + ] +} + + + //--------------Flux Config--------------- module fluxConfiguration 'br/public:avm/res/kubernetes-configuration/flux-configuration:0.3.1' = if(enableSoftwareLoad) { diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json index b12b0202..16bbcd23 100644 --- a/bicep/main.parameters.json +++ b/bicep/main.parameters.json @@ -23,6 +23,9 @@ "remoteNetworkPrefix": { "value": "${REMOTE_NETWORK_PREFIX}" }, + "softwareRepository": { + "value": "${SOFTWARE_REPOSITORY}" + }, "softwareBranch": { "value": "${SOFTWARE_BRANCH}" } diff --git a/charts/env-debug/README.md b/charts/env-debug/README.md index 6ed060e1..ef5a38b3 100644 --- a/charts/env-debug/README.md +++ b/charts/env-debug/README.md @@ -63,8 +63,5 @@ Install the helm chart. ```bash # Create Namespace NAMESPACE=dev-sample -kubectl create namespace $NAMESPACE - -# Install Charts -helm install env-tool . -n $NAMESPACE -f custom_values.yaml +helm install dev-sample . -n $NAMESPACE --create-namespace ``` diff --git a/charts/env-debug/templates/serviceaccount.yaml b/charts/env-debug/templates/serviceaccount.yaml index b0b1f98a..571d1c47 100644 --- a/charts/env-debug/templates/serviceaccount.yaml +++ b/charts/env-debug/templates/serviceaccount.yaml @@ -1,9 +1,9 @@ -# apiVersion: v1 -# kind: ServiceAccount -# metadata: -# name: {{ include "env-debug.serviceAccountName" . }} -# annotations: -# azure.workload.identity/client-id: {{ .Values.azureWorkloadIdentity.clientId }} -# azure.workload.identity/tenant-id: {{ .Values.azureWorkloadIdentity.tenantId }} -# labels: -# azure.workload.identity/use: "true" \ No newline at end of file +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "env-debug.serviceAccountName" . }} + annotations: + azure.workload.identity/client-id: {{ .Values.azureWorkloadIdentity.clientId }} + azure.workload.identity/tenant-id: {{ .Values.azureWorkloadIdentity.tenantId }} + labels: + azure.workload.identity/use: "true" \ No newline at end of file diff --git a/charts/env-debug/templates_orig/kv-secrets.yaml b/charts/env-debug/templates_orig/kv-secrets.yaml deleted file mode 100644 index 97689938..00000000 --- a/charts/env-debug/templates_orig/kv-secrets.yaml +++ /dev/null @@ -1,113 +0,0 @@ -# {{- $namespace := .Release.Namespace }} -# apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 -# kind: SecretProviderClass -# metadata: -# name: azure-keyvault -# namespace: {{ $namespace }} -# spec: -# provider: azure -# secretObjects: -# - secretName: active-directory -# type: Opaque -# data: -# - objectName: "app-dev-sp-tenant-id" -# key: tenantid -# - objectName: "aad-client-id" -# key: application-appid -# - objectName: "app-dev-sp-username" -# key: principal-clientid -# - objectName: "app-dev-sp-password" -# key: principal-clientpassword -# - secretName: airflow -# type: Opaque -# data: -# - objectName: airflow-storage -# key: storage-account -# - objectName: airflow-storage-key -# key: storage-key -# - objectName: airflow-storage-connection -# key: storage-connection -# - objectName: airflow-remote-log-connection -# key: remote-log-connection -# - objectName: airflow-admin-password -# key: admin-password -# - objectName: airflow-fernet-key -# key: fernet-key -# - objectName: airflow-storage -# key: azurestorageaccountname -# - objectName: airflow-storage-key -# key: azurestorageaccountkey -# - secretName: postgres -# type: Opaque -# data: -# - objectName: "postgres-password" -# key: postgres-password -# - secretName: redis -# type: Opaque -# data: -# - objectName: "redis-password" -# key: redis-password -# - secretName: central-logging -# type: Opaque -# data: -# - objectName: "appinsights-key" -# key: appinsights -# - objectName: "log-workspace-id" -# key: workspace-id -# - objectName: "log-workspace-key" -# key: workspace-key -# parameters: -# usePodIdentity: "true" -# useVMManagedIdentity: "false" -# userAssignedIdentityID: "" -# resourceGroup: "{{ .Values.azure.resourcegroup }}" -# keyvaultName: "{{ .Values.azure.keyvault }}" -# subscriptionId: "{{ .Values.azure.subscription }}" -# tenantId: "{{ .Values.azure.tenant }}" -# objects: | -# array: -# - | -# objectName: airflow-storage -# objectType: secret -# - | -# objectName: airflow-storage-connection -# objectType: secret -# - | -# objectName: airflow-remote-log-connection -# objectType: secret -# - | -# objectName: airflow-storage-key -# objectType: secret -# - | -# objectName: airflow-admin-password -# objectType: secret -# - | -# objectName: airflow-fernet-key -# objectType: secret -# - | -# objectName: postgres-password -# objectType: secret -# - | -# objectName: redis-password -# objectType: secret -# - | -# objectName: appinsights-key -# objectType: secret -# - | -# objectName: log-workspace-id -# objectType: secret -# - | -# objectName: log-workspace-key -# objectType: secret -# - | -# objectName: app-dev-sp-tenant-id -# objectType: secret -# - | -# objectName: aad-client-id -# objectType: secret -# - | -# objectName: app-dev-sp-username -# objectType: secret -# - | -# objectName: app-dev-sp-password -# objectType: secret diff --git a/charts/env-debug/templates_orig/pvc.yaml b/charts/env-debug/templates_orig/pvc.yaml deleted file mode 100644 index 68d578c5..00000000 --- a/charts/env-debug/templates_orig/pvc.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# {{- $namespace := .Release.Namespace }} -# apiVersion: v1 -# kind: PersistentVolume -# metadata: -# name: {{ include "env-debug.fullname" . }}-pv -# namespace: {{ $namespace }} -# labels: -# usage: airflow-dag -# spec: -# capacity: -# storage: 5Gi -# accessModes: -# - ReadOnlyMany -# azureFile: -# secretName: airflow -# shareName: airflowdags -# volumeMode: Filesystem -# mountOptions: -# - dir_mode=0777 -# - file_mode=0777 -# - uid=1000 -# - gid=1000 -# - mfsymlinks -# - nobrl - -# --- -# apiVersion: v1 -# kind: PersistentVolumeClaim -# metadata: -# name: {{ include "env-debug.fullname" . }}-pvc -# namespace: {{ $namespace }} -# # Set this annotation to NOT let Kubernetes automatically create -# # a persistent volume for this volume claim. -# annotations: -# volume.beta.kubernetes.io/storage-class: "" -# spec: -# accessModes: -# - ReadOnlyMany -# resources: -# requests: -# storage: 5Gi -# selector: -# matchLabels: -# usage: airflow-dag diff --git a/charts/env-debug/values.yaml b/charts/env-debug/values.yaml index 66a98631..5589033a 100644 --- a/charts/env-debug/values.yaml +++ b/charts/env-debug/values.yaml @@ -1,5 +1,3 @@ -# This file contains the essential configs for the osdu on azure helm chart - replicaCount: 1 nameOverride: "" @@ -12,7 +10,11 @@ service: serviceAccount: create: true - name: "" #Leave empty and it'll default to the name of the app, thanks to the _helpers.tpl + name: "" + +azureWorkloadIdentity: + clientId: "" + tenantId: "" autoscaling: enabled: false @@ -20,27 +22,9 @@ autoscaling: maxReplicas: 3 targetCPUUtilizationPercentage: 80 -################################################################################ -# Specify the azure environment specific values -# azure: enabled: false -# tenant: -# subscription: -# resourcegroup: -# identity: -# identity_id: -# keyvault: -# appid: env: - name: MESSAGE value: Hello World! -# - name: AZURE_TENANT_ID -# secret: -# name: active-directory -# key: tenantid -# - name: WORKSPACE_ID -# secret: -# name: central-logging -# key: log-workspace-id diff --git a/software/applications/dev-sample/namespace.yaml b/software/applications/dev-sample/namespace.yaml index c3ebf55e..2c7ea92e 100644 --- a/software/applications/dev-sample/namespace.yaml +++ b/software/applications/dev-sample/namespace.yaml @@ -1,5 +1,5 @@ -# --- -# apiVersion: v1 -# kind: Namespace -# metadata: -# name: dev-sample \ No newline at end of file +--- +apiVersion: v1 +kind: Namespace +metadata: + name: dev-sample \ No newline at end of file diff --git a/software/applications/dev-sample/release.yaml b/software/applications/dev-sample/release.yaml index cf5139fc..176cab34 100644 --- a/software/applications/dev-sample/release.yaml +++ b/software/applications/dev-sample/release.yaml @@ -2,8 +2,10 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: env-tool + name: dev-sample namespace: default + annotations: + clusterconfig.azure.com/use-managed-source: "true" spec: chart: spec: @@ -16,7 +18,7 @@ spec: install: remediation: retries: 3 - targetNamespace: default + targetNamespace: dev-sample values: replicaCount: 1 nameOverride: "" @@ -24,21 +26,15 @@ spec: service: type: ClusterIP port: 80 - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 3 - targetCPUUtilizationPercentage: 80 + serviceAccount: + create: true + name: "" + azureWorkloadIdentity: + clientId: "" + tenantId: "" azure: enabled: false env: - name: MESSAGE value: Hello World! - # - name: AZURE_TENANT_ID - # secret: - # name: active-directory - # key: tenantid - # - name: WORKSPACE_ID - # secret: - # name: central-logging - # key: workspace-id \ No newline at end of file + \ No newline at end of file diff --git a/software/components/istio-ingress/gateway.yaml b/software/components/istio-ingress/gateway.yaml deleted file mode 100644 index 1a6ea4cf..00000000 --- a/software/components/istio-ingress/gateway.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-external-gateway - namespace: aks-istio-ingress -spec: - selector: - istio: aks-istio-ingressgateway-external - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" ---- -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: istio-internal-gateway - namespace: aks-istio-ingress -spec: - selector: - istio: aks-istio-ingressgateway-internal - servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - "*" diff --git a/software/components/istio-ingress/self-issuer.yaml b/software/components/istio-ingress/self-issuer.yaml deleted file mode 100644 index 783f2cf0..00000000 --- a/software/components/istio-ingress/self-issuer.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: selfsigned-issuer - namespace: aks-istio-system -spec: - selfSigned: {} diff --git a/software/components/istio-operator/namespace.yaml b/software/components/istio-operator/namespace.yaml deleted file mode 100644 index de678e06..00000000 --- a/software/components/istio-operator/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: istio-system - labels: - toolkit.fluxcd.io/tenant: sre-team diff --git a/software/components/istio-operator/release.yaml b/software/components/istio-operator/release.yaml deleted file mode 100644 index f7384405..00000000 --- a/software/components/istio-operator/release.yaml +++ /dev/null @@ -1,41 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: istio-base - namespace: istio-system -spec: - releaseName: istio-base - chart: - spec: - chart: manifests/charts/base - sourceRef: - kind: GitRepository - name: istio - namespace: istio-system - interval: 1h0m0s - install: - remediation: - retries: 3 ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: istio-operator - namespace: istio-system -spec: - releaseName: istio-operator - chart: - spec: - chart: manifests/charts/istio-operator - sourceRef: - kind: GitRepository - name: istio - namespace: istio-system - interval: 1h0m0s - install: - remediation: - retries: 3 - values: - hub: "docker.io/istio" - tag: "1.17.8" diff --git a/software/components/istio-operator/source.yaml b/software/components/istio-operator/source.yaml deleted file mode 100644 index 9ce40446..00000000 --- a/software/components/istio-operator/source.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: GitRepository -metadata: - name: istio - namespace: istio-system -spec: - interval: 30m - url: https://github.com/istio/istio - ref: - branch: master - tag: 1.15.1 diff --git a/stamp/applications/kustomize.yaml b/stamp/applications/kustomize.yaml index 2e272518..d832e68b 100644 --- a/stamp/applications/kustomize.yaml +++ b/stamp/applications/kustomize.yaml @@ -1,15 +1,4 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: GitRepository -metadata: - name: osdu-developer - namespace: flux-system -spec: - interval: 5m0s - ref: - branch: main - url: https://github.com/azure/osdu-developer ---- apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 kind: Kustomization metadata: @@ -48,19 +37,19 @@ spec: path: ./software/applications/elastic-search prune: true wait: true -# --- -# apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -# kind: Kustomization -# metadata: -# name: application-component-devsample -# namespace: flux-system -# spec: -# interval: 1h -# retryInterval: 1m -# timeout: 5m -# sourceRef: -# kind: GitRepository -# name: flux-system -# path: ./software/applications/dev-sample -# prune: true -# wait: true +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: application-component-devsample + namespace: flux-system +spec: + interval: 1h + retryInterval: 1m + timeout: 5m + sourceRef: + kind: GitRepository + name: flux-system + path: ./software/applications/dev-sample + prune: true + wait: true