diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3e5da83b..3b0d9cb8 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -46,7 +46,7 @@ on: required: false region: description: "Region (needs to be same as byo vnet location)" - default: "eastus2" + default: "centralus" type: string required: false doStandards: @@ -74,7 +74,7 @@ env: AZCLIVERSION: 2.63.0 # https://github.com/Azure/azure-cli/issues/29828 ParamFilePath: ".github/parameters.json" DEPNAME: "dep${{ github.run_number }}" - + jobs: Standards: runs-on: ubuntu-latest @@ -150,7 +150,7 @@ jobs: if [ -z "${{ github.event.inputs.region }}" ] then echo "Region parameter not available through GitHub event data, setting default" - REGION="eastus2" + REGION="centralus" else echo "Region parameter found in GitHub event (${{ github.event.inputs.region }})" REGION="${{ github.event.inputs.region }}" @@ -270,8 +270,8 @@ jobs: azcliversion: ${{ env.AZCLIVERSION }} inlineScript: | DEPNAME='Dep${{ github.run_number }}' - - PARAMS='${{ steps.imperitiveparams.outputs.PARAMOVERRIDES }} applicationClientId=${{ env.AZURE_CLIENT_ID }} applicationClientSecret=${{ secrets.AZURE_CLIENT_SECRET }} applicationClientPrincipalOid=${{ env.AZURE_CLIENT_PRINCIPAL_OID }} emailAddress=${{ secrets.EMAIL_ADDRESS }}' + + PARAMS='${{ steps.imperitiveparams.outputs.PARAMOVERRIDES }} applicationClientId=${{ env.AZURE_CLIENT_ID }} applicationClientPrincipalOid=${{ env.AZURE_CLIENT_PRINCIPAL_OID }} emailAddress=${{ secrets.EMAIL_ADDRESS }}' echo $PARAMS az deployment group validate -f bicep/main.bicep -g $RESOURCE_GROUP -p ${{ env.ParamFilePath }} -p $PARAMS --verbose @@ -330,7 +330,7 @@ jobs: - name: Install azd uses: Azure/setup-azd@v2.1.0 - + - name: Log in with Azure (Federated Credentials) if: ${{ env.AZURE_CLIENT_ID != '' }} run: | diff --git a/bicep/main.bicep b/bicep/main.bicep index dc0b73a0..3b3de060 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -10,16 +10,9 @@ param emailAddress string @description('Specify the Application Client Id. (This is the unique application ID of this application.)') param applicationClientId string -@description('Specify the Application Client Secret. (A valid secret for the application client ID.)') -@secure() -param applicationClientSecret string - @description('Specify the Enterprise Application Object Id. (This is the unique ID of the service principal object associated with the application.)') param applicationClientPrincipalOid string -@description('The size of the VM to use for the cluster.') -param customVMSize string = '' - @allowed([ 'External' 'Internal' @@ -55,6 +48,13 @@ param clusterConfiguration object = { enableLockDown: false } +@description('Optional: Server Configuration Overrides - {system}-->(4x8 ARM:true) {zone}-->(2x8 ARM:true) {user}-->(4x16 ARM:false BURST:true)') +param serverConfiguration object = { + systemPool: 'Standard_D4pds_v6' + zonePool: 'Standard_D2pds_v6' + userPool: 'Standard_B4s_v2' +} + @description('Optional. Bring your own Virtual Network.') param vnetConfiguration object = { group: '' @@ -80,7 +80,7 @@ param vnetConfiguration object = { } ///////////////////////////////// -// Configuration +// Configuration ///////////////////////////////// // Internal Feature Flags Start -> @@ -108,10 +108,10 @@ var configuration = { tenantId: 'tenant-id' subscriptionId: 'subscription-id' registryName: 'container-registry' - applicationId: 'aad-client-id' - clientId: 'app-dev-sp-username' - clientSecret: 'app-dev-sp-password' - applicationPrincipalId: 'app-dev-sp-id' + // applicationId: 'aad-client-id' + // clientId: 'app-dev-sp-username' + // clientSecret: 'app-dev-sp-password' + // applicationPrincipalId: 'app-dev-sp-id' stampIdentity: 'osdu-identity-id' storageAccountName: 'common-storage' storageAccountKey: 'common-storage-key' @@ -157,12 +157,12 @@ var rg_unique_id = '${replace(configuration.name, '-', '')}${uniqueString(resour /* - __ _______ _______ .__ __. .___________. __ .___________.____ ____ -| | | \ | ____|| \ | | | || | | |\ \ / / -| | | .--. || |__ | \| | `---| |----`| | `---| |----` \ \/ / -| | | | | || __| | . ` | | | | | | | \_ _/ -| | | '--' || |____ | |\ | | | | | | | | | -|__| |_______/ |_______||__| \__| |__| |__| |__| |__| + __ _______ _______ .__ __. .___________. __ .___________.____ ____ +| | | \ | ____|| \ | | | || | | |\ \ / / +| | | .--. || |__ | \| | `---| |----`| | `---| |----` \ \/ / +| | | | | || __| | . ` | | | | | | | \_ _/ +| | | '--' || |____ | |\ | | | | | | | | | +|__| |_______/ |_______||__| \__| |__| |__| |__| |__| */ module stampIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.0' = { name: '${configuration.name}-user-managed-identity' @@ -185,11 +185,11 @@ module stampIdentity 'br/public:avm/res/managed-identity/user-assigned-identity: ___ .__ __. ___ __ ____ ____ .___________. __ ______ _______. / \ | \ | | / \ | | \ \ / / | || | / | / | / ^ \ | \| | / ^ \ | | \ \/ / `---| |----`| | | ,----' | (----` - / /_\ \ | . ` | / /_\ \ | | \_ _/ | | | | | | \ \ - / _____ \ | |\ | / _____ \ | `----. | | | | | | | `----.----) | -/__/ \__\ |__| \__| /__/ \__\ |_______| |__| |__| |__| \______|_______/ + / /_\ \ | . ` | / /_\ \ | | \_ _/ | | | | | | \ \ + / _____ \ | |\ | / _____ \ | `----. | | | | | | | `----.----) | +/__/ \__\ |__| \__| /__/ \__\ |_______| |__| |__| |__| \______|_______/ */ -module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.7.1' = { +module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.9.1' = { name: '${configuration.name}-log-analytics' params: { name: rg_unique_id @@ -211,12 +211,12 @@ module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.7.1' = { __ .__ __. _______. __ _______ __ __ .___________. _______. | | | \ | | / || | / _____|| | | | | | / | | | | \| | | (----`| | | | __ | |__| | `---| |----` | (----` -| | | . ` | \ \ | | | | |_ | | __ | | | \ \ -| | | |\ | .----) | | | | |__| | | | | | | | .----) | -|__| |__| \__| |_______/ |__| \______| |__| |__| |__| |_______/ +| | | . ` | \ \ | | | | |_ | | __ | | | \ \ +| | | |\ | .----) | | | | |__| | | | | | | | .----) | +|__| |__| \__| |_______/ |__| \______| |__| |__| |__| |_______/ */ -module insights 'br/public:avm/res/insights/component:0.3.0' = { +module insights 'br/public:avm/res/insights/component:0.5.0' = { name: '${configuration.name}-insights' params: { name: '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' @@ -232,7 +232,7 @@ module insights 'br/public:avm/res/insights/component:0.3.0' = { kind: configuration.insights.sku workspaceResourceId: logAnalytics.outputs.resourceId - + diagnosticSettings: [ { metricCategories: [ @@ -249,15 +249,15 @@ module insights 'br/public:avm/res/insights/component:0.3.0' = { /* - ______ ___ ______ __ __ _______ + ______ ___ ______ __ __ _______ / | / \ / || | | | | ____| -| ,----' / ^ \ | ,----'| |__| | | |__ -| | / /_\ \ | | | __ | | __| -| `----./ _____ \ | `----.| | | | | |____ - \______/__/ \__\ \______||__| |__| |_______| +| ,----' / ^ \ | ,----'| |__| | | |__ +| | / /_\ \ | | | __ | | __| +| `----./ _____ \ | `----.| | | | | |____ + \______/__/ \__\ \______||__| |__| |_______| */ // This takes a long time to deploy so we are starting as soon as possible. -module redis 'br/public:avm/res/cache/redis:0.3.2' = { +module redis 'br/public:avm/res/cache/redis:0.9.0' = { name: '${configuration.name}-cache' params: { name: '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' @@ -270,7 +270,7 @@ module redis 'br/public:avm/res/cache/redis:0.3.2' = { id: rg_unique_id } - skuName: 'Basic' + skuName: 'Basic' capacity: 1 replicasPerMaster: 1 replicasPerPrimary: 1 @@ -281,17 +281,17 @@ module redis 'br/public:avm/res/cache/redis:0.3.2' = { /* -.__ __. _______ .___________.____ __ ____ ______ .______ __ ___ -| \ | | | ____|| |\ \ / \ / / / __ \ | _ \ | |/ / -| \| | | |__ `---| |----` \ \/ \/ / | | | | | |_) | | ' / -| . ` | | __| | | \ / | | | | | / | < -| |\ | | |____ | | \ /\ / | `--' | | |\ \----.| . \ -|__| \__| |_______| |__| \__/ \__/ \______/ | _| `._____||__|\__\ -.______ __ ___ _______ _______ +.__ __. _______ .___________.____ __ ____ ______ .______ __ ___ +| \ | | | ____|| |\ \ / \ / / / __ \ | _ \ | |/ / +| \| | | |__ `---| |----` \ \/ \/ / | | | | | |_) | | ' / +| . ` | | __| | | \ / | | | | | / | < +| |\ | | |____ | | \ /\ / | `--' | | |\ \----.| . \ +|__| \__| |_______| |__| \__/ \__/ \______/ | _| `._____||__|\__\ +.______ __ ___ _______ _______ | _ \ | | / \ | \ | ____| -| |_) | | | / ^ \ | .--. || |__ -| _ < | | / /_\ \ | | | || __| -| |_) | | `----./ _____ \ | '--' || |____ +| |_) | | | / ^ \ | .--. || |__ +| _ < | | / /_\ \ | | | || __| +| |_) | | `----./ _____ \ | '--' || |____ |______/ |_______/__/ \__\ |_______/ |_______| */ module networkBlade 'modules/blade_network.bicep' = if (enableVnetInjection) { @@ -314,7 +314,7 @@ module networkBlade 'modules/blade_network.bicep' = if (enableVnetInjection) { enablePodSubnet: vnetConfiguration.podSubnet.name != '' && vnetConfiguration.podSubnet.prefix != '' ? true: false enableVnetInjection: enableVnetInjection - + vnetConfiguration: { group: vnetConfiguration.group name: vnetConfiguration.name @@ -338,17 +338,17 @@ module networkBlade 'modules/blade_network.bicep' = if (enableVnetInjection) { /* - ______ __ __ __ _______.___________. _______ .______ - / || | | | | | / | || ____|| _ \ -| ,----'| | | | | | | (----`---| |----`| |__ | |_) | -| | | | | | | | \ \ | | | __| | / + ______ __ __ __ _______.___________. _______ .______ + / || | | | | | / | || ____|| _ \ +| ,----'| | | | | | | (----`---| |----`| |__ | |_) | +| | | | | | | | \ \ | | | __| | / | `----.| `----.| `--' | .----) | | | | |____ | |\ \----. \______||_______| \______/ |_______/ |__| |_______|| _| `._____| -.______ __ ___ _______ _______ +.______ __ ___ _______ _______ | _ \ | | / \ | \ | ____| -| |_) | | | / ^ \ | .--. || |__ -| _ < | | / /_\ \ | | | || __| -| |_) | | `----./ _____ \ | '--' || |____ +| |_) | | | / ^ \ | .--. || |__ +| _ < | | / /_\ \ | | | || __| +| |_) | | `----./ _____ \ | '--' || |____ |______/ |_______/__/ \__\ |_______/ |_______| */ module clusterBlade 'modules/blade_cluster.bicep' = { @@ -373,10 +373,12 @@ module clusterBlade 'modules/blade_cluster.bicep' = { workspaceResourceId: logAnalytics.outputs.resourceId identityId: enableVnetInjection ? networkBlade.outputs.networkConfiguration.identityId : stampIdentity.outputs.resourceId managedIdentityName: stampIdentity.outputs.name - + aksSubnetId: enableVnetInjection ? networkBlade.outputs.aksSubnetId : '' podSubnetId: enableVnetInjection ? networkBlade.outputs.podSubnetId : '' - vmSize: customVMSize + vmSizeSystemPool: serverConfiguration.systemPool == '' ? 'Standard_D4pds_v6' : serverConfiguration.systemPool + vmSizeZonePool: serverConfiguration.zonePool == '' ? 'Standard_D2pds_v6' : serverConfiguration.zonePool + vmSizeUserPool: serverConfiguration.userPool == '' ? 'Standard_B4s_v2' : serverConfiguration.userPool } dependsOn: [ stampIdentity @@ -386,12 +388,12 @@ module clusterBlade 'modules/blade_cluster.bicep' = { /* - __________ ___ .___________. _______ .__ __. _______. __ ______ .__ __. -| ____\ \ / / | || ____|| \ | | / || | / __ \ | \ | | -| |__ \ V / `---| |----`| |__ | \| | | (----`| | | | | | | \| | -| __| > < | | | __| | . ` | \ \ | | | | | | | . ` | -| |____ / . \ | | | |____ | |\ | .----) | | | | `--' | | |\ | -|_______/__/ \__\ |__| |_______||__| \__| |_______/ |__| \______/ |__| \__| + __________ ___ .___________. _______ .__ __. _______. __ ______ .__ __. +| ____\ \ / / | || ____|| \ | | / || | / __ \ | \ | | +| |__ \ V / `---| |----`| |__ | \| | | (----`| | | | | | | \| | +| __| > < | | | __| | . ` | \ \ | | | | | | | . ` | +| |____ / . \ | | | |____ | |\ | .----) | | | | `--' | | |\ | +|_______/__/ \__\ |__| |_______||__| \__| |_______/ |__| \______/ |__| \__| */ // AVM doesn't support output of the principalId from the extension module so we have to use a deployment script to get it. // This takes a long time to deploy so we are starting as soon as possible. @@ -401,7 +403,7 @@ module fluxExtension 'modules/flux-extension/main.bicep' = { clusterName: clusterBlade.outputs.clusterName location: location extensionType: 'microsoft.flux' - name: 'flux' + name: 'flux' releaseNamespace: 'flux-system' releaseTrain: 'Stable' @@ -425,20 +427,20 @@ module fluxExtension 'modules/flux-extension/main.bicep' = { _______. ______ .______ __ .______ .___________. / | / || _ \ | | | _ \ | | | (----`| ,----'| |_) | | | | |_) | `---| |----` - \ \ | | | / | | | ___/ | | -.----) | | `----.| |\ \----.| | | | | | -|_______/ \______|| _| `._____||__| | _| |__| + \ \ | | | / | | | ___/ | | +.----) | | `----.| |\ \----.| | | | | | +|_______/ \______|| _| `._____||__| | _| |__| */ -module extensionClientId 'br/public:avm/res/resources/deployment-script:0.4.0' = { +module extensionClientId 'br/public:avm/res/resources/deployment-script:0.5.1' = { name: '${configuration.name}-script-clientId' - + params: { kind: 'AzureCLI' name: 'script-${configuration.name}-aks-extension' - azCliVersion: '2.63.0' location: location + azCliVersion: '2.64.0' managedIdentities: { - userAssignedResourcesIds: [ + userAssignedResourceIds: [ stampIdentity.outputs.resourceId ] } @@ -453,16 +455,17 @@ module extensionClientId 'br/public:avm/res/resources/deployment-script:0.4.0' = value: fluxExtension.outputs.principalId } ] - + timeout: 'PT30M' retentionInterval: 'PT1H' scriptContent: ''' + tdnf install -y jq az login --identity echo "Looking up client ID for $principalId in ResourceGroup $rgName" clientId=$(az identity list --resource-group $rgName --query "[?principalId=='$principalId'] | [0].clientId" -otsv) - + echo "Found ClientId: $clientId" echo "{\"clientId\":\"$clientId\"}" | jq -c '.' > $AZ_SCRIPTS_OUTPUT_PATH ''' @@ -474,14 +477,14 @@ module extensionClientId 'br/public:avm/res/resources/deployment-script:0.4.0' = /* -.______ _______ _______ __ _______.___________..______ ____ ____ -| _ \ | ____| / _____|| | / | || _ \ \ \ / / -| |_) | | |__ | | __ | | | (----`---| |----`| |_) | \ \/ / -| / | __| | | |_ | | | \ \ | | | / \_ _/ -| |\ \----.| |____ | |__| | | | .----) | | | | |\ \----. | | -| _| `._____||_______| \______| |__| |_______/ |__| | _| `._____| |__| +.______ _______ _______ __ _______.___________..______ ____ ____ +| _ \ | ____| / _____|| | / | || _ \ \ \ / / +| |_) | | |__ | | __ | | | (----`---| |----`| |_) | \ \/ / +| / | __| | | |_ | | | \ \ | | | / \_ _/ +| |\ \----.| |____ | |__| | | | .----) | | | | |\ \----. | | +| _| `._____||_______| \______| |__| |_______/ |__| | _| `._____| |__| */ -module registry 'br/public:avm/res/container-registry/registry:0.1.1' = { +module registry 'br/public:avm/res/container-registry/registry:0.7.0' = { name: '${configuration.name}-container-registry' params: { name: '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' @@ -518,6 +521,11 @@ module registry 'br/public:avm/res/container-registry/registry:0.1.1' = { principalType: 'ServicePrincipal' roleDefinitionIdOrName: 'AcrPull' } + { + principalId: clusterBlade.outputs.kubeletIdentityId + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'AcrPull' + } ] } } @@ -527,15 +535,15 @@ module registry 'br/public:avm/res/container-registry/registry:0.1.1' = { __ ___ ___________ ____ ____ ____ ___ __ __ __ .___________. | |/ / | ____\ \ / / \ \ / / / \ | | | | | | | | | ' / | |__ \ \/ / \ \/ / / ^ \ | | | | | | `---| |----` -| < | __| \_ _/ \ / / /_\ \ | | | | | | | | -| . \ | |____ | | \ / / _____ \ | `--' | | `----. | | -|__|\__\ |_______| |__| \__/ /__/ \__\ \______/ |_______| |__| +| < | __| \_ _/ \ / / /_\ \ | | | | | | | | +| . \ | |____ | | \ / / _____ \ | `--' | | `----. | | +|__|\__\ |_______| |__| \__/ /__/ \__\ \______/ |_______| |__| */ var name = '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}' @description('The list of secrets to persist to the Key Vault') -var vaultSecrets = [ +var vaultSecrets = [ { secretName: 'tenant-id' secretValue: subscription().tenantId @@ -548,11 +556,6 @@ var vaultSecrets = [ secretName: 'subscription-id' secretValue: subscription().subscriptionId } - // Azure AD Secrets - { - secretName: 'app-dev-sp-password' - secretValue: applicationClientSecret == '' ? 'dummy' : applicationClientSecret - } { secretName: 'app-dev-sp-id' secretValue: applicationClientId @@ -595,13 +598,13 @@ var vaultSecrets = [ } ] -module keyvault 'br/public:avm/res/key-vault/vault:0.5.1' = { +module keyvault 'br/public:avm/res/key-vault/vault:0.11.2' = { name: '${configuration.name}-keyvault' params: { name: length(name) > 24 ? substring(name, 0, 24) : name location: location enableTelemetry: enableTelemetry - + // Assign Tags tags: { layer: configuration.displayName @@ -615,7 +618,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.5.1' = { ] enablePurgeProtection: false - + // Configure RBAC enableRbacAuthorization: true roleAssignments: union( @@ -648,12 +651,14 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.5.1' = { } // Configure Secrets - secrets: { - secureList: [for secret in vaultSecrets: { - name: secret.secretName - value: secret.secretValue - }] - } + secrets: [for secret in vaultSecrets: { + name: secret.secretName + value: secret.secretValue + contentType: 'text/plain' + attributes: { + enabled: true + } + }] } } @@ -662,9 +667,9 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.5.1' = { _______. _______ ______ .______ _______ .___________. _______. / || ____| / || _ \ | ____|| | / | | (----`| |__ | ,----'| |_) | | |__ `---| |----` | (----` - \ \ | __| | | | / | __| | | \ \ -.----) | | |____ | `----.| |\ \----.| |____ | | .----) | -|_______/ |_______| \______|| _| `._____||_______| |__| |_______/ + \ \ | __| | | | / | __| | | \ \ +.----) | | |____ | `----.| |\ \----.| |____ | | .----) | +|_______/ |_______| \______|| _| `._____||_______| |__| |_______/ */ // This custom module is used to persist insights, cache and workspace secrets to the Key Vault. module keyvaultSecrets 'modules/keyvault_secrets.bicep' = { @@ -675,6 +680,7 @@ module keyvaultSecrets 'modules/keyvault_secrets.bicep' = { workspaceName: logAnalytics.outputs.name insightsName: insights.outputs.name cacheName: redis.outputs.name + identityName: stampIdentity.outputs.name } dependsOn: [ insights @@ -701,12 +707,12 @@ var commonLayerConfig = { } -/* _______.___________. ______ .______ ___ _______ _______ +/* _______.___________. ______ .______ ___ _______ _______ / | | / __ \ | _ \ / \ / _____|| ____| - | (----`---| |----`| | | | | |_) | / ^ \ | | __ | |__ - \ \ | | | | | | | / / /_\ \ | | |_ | | __| -.----) | | | | `--' | | |\ \----./ _____ \ | |__| | | |____ -|_______/ |__| \______/ | _| `._____/__/ \__\ \______| |_______| + | (----`---| |----`| | | | | |_) | / ^ \ | | __ | |__ + \ \ | | | | | | | / / /_\ \ | | |_ | | __| +.----) | | | | `--' | | |\ \----./ _____ \ | |__| | | |____ +|_______/ |__| \______/ | _| `._____/__/ \__\ \______| |_______| */ // AVM Module Customized due to required Secrets. module storage 'modules/storage-account/main.bicep' = { @@ -721,7 +727,7 @@ module storage 'modules/storage-account/main.bicep' = { layer: configuration.displayName id: rg_unique_id } - + // Hook up Diagnostics diagnosticSettings: [ { @@ -774,7 +780,7 @@ module storage 'modules/storage-account/main.bicep' = { publicNetworkAccess: 'Enabled' // TODO: This is required for Partition Service to access the storage account. Issue: https://github.com/Azure/osdu-developer/issues/230 - allowSharedKeyAccess: true + allowSharedKeyAccess: true // https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template?tabs=CLI#debug-deployment-scripts networkAcls: { @@ -800,7 +806,7 @@ module storage 'modules/storage-account/main.bicep' = { ] connectionString1: [ 'system-storage-connection' - ] + ] blobEndpoint: [ 'system-storage-blob-endpoint' ] @@ -817,12 +823,12 @@ module storage 'modules/storage-account/main.bicep' = { /* - _______ .______ ___ .______ __ __ - / _____|| _ \ / \ | _ \ | | | | -| | __ | |_) | / ^ \ | |_) | | |__| | -| | |_ | | / / /_\ \ | ___/ | __ | -| |__| | | |\ \----./ _____ \ | | | | | | - \______| | _| `._____/__/ \__\ | _| |__| |__| + _______ .______ ___ .______ __ __ + / _____|| _ \ / \ | _ \ | | | | +| | __ | |_) | / ^ \ | |_) | | |__| | +| | |_ | | / / /_\ \ | ___/ | __ | +| |__| | | |\ \----./ _____ \ | | | | | | + \______| | _| `._____/__/ \__\ | _| |__| |__| */ // AVM Module Customized due to required Secrets. module database 'modules/cosmos-db/main.bicep' = { @@ -877,7 +883,7 @@ module database 'modules/cosmos-db/main.bicep' = { databaseEndpointSecretName: 'graph-db-endpoint' databasePrimaryKeySecretName: 'graph-db-primary-key' databaseConnectionStringSecretName: 'graph-db-connection' - + roleAssignments: [ { @@ -898,9 +904,9 @@ module database 'modules/cosmos-db/main.bicep' = { _______. ______ .______ __ .______ .___________. _______. / | / || _ \ | | | _ \ | | / | | (----`| ,----'| |_) | | | | |_) | `---| |----` | (----` - \ \ | | | / | | | ___/ | | \ \ -.----) | | `----.| |\ \----.| | | | | | .----) | -|_______/ \______|| _| `._____||__| | _| |__| |_______/ + \ \ | | | / | | | ___/ | | \ \ +.----) | | `----.| |\ \----.| | | | | | .----) | +|_______/ \______|| _| `._____||__| | _| |__| |_______/ */ @@ -917,7 +923,7 @@ var directoryUploads = [ ] @batchSize(1) -module gitOpsUpload 'br/public:avm/res/resources/deployment-script:0.4.0' = [for item in directoryUploads: if (clusterSoftware.private == 'true') { +module gitOpsUpload 'br/public:avm/res/resources/deployment-script:0.5.1' = [for item in directoryUploads: if (clusterSoftware.private == 'true') { name: '${configuration.name}-storage-${item.directory}-upload' params: { name: 'script-${storage.outputs.name}-${item.directory}' @@ -927,16 +933,16 @@ module gitOpsUpload 'br/public:avm/res/resources/deployment-script:0.4.0' = [for retentionInterval: 'PT1H' timeout: 'PT30M' runOnce: true - + managedIdentities: { userAssignedResourcesIds: [ stampIdentity.outputs.resourceId ] - } + } kind: 'AzureCLI' azCliVersion: '2.63.0' - + environmentVariables: [ { name: 'AZURE_STORAGE_ACCOUNT', value: storage.outputs.name } { name: 'FILE', value: 'main.zip' } @@ -964,17 +970,17 @@ module gitOpsUpload 'br/public:avm/res/resources/deployment-script:0.4.0' = [for /* -.______ ___ .______ .___________. __ .___________. __ ______ .__ __. -| _ \ / \ | _ \ | || | | || | / __ \ | \ | | -| |_) | / ^ \ | |_) | `---| |----`| | `---| |----`| | | | | | | \| | -| ___/ / /_\ \ | / | | | | | | | | | | | | | . ` | -| | / _____ \ | |\ \----. | | | | | | | | | `--' | | |\ | -| _| /__/ \__\ | _| `._____| |__| |__| |__| |__| \______/ |__| \__| -.______ __ ___ _______ _______ +.______ ___ .______ .___________. __ .___________. __ ______ .__ __. +| _ \ / \ | _ \ | || | | || | / __ \ | \ | | +| |_) | / ^ \ | |_) | `---| |----`| | `---| |----`| | | | | | | \| | +| ___/ / /_\ \ | / | | | | | | | | | | | | | . ` | +| | / _____ \ | |\ \----. | | | | | | | | | `--' | | |\ | +| _| /__/ \__\ | _| `._____| |__| |__| |__| |__| \______/ |__| \__| +.______ __ ___ _______ _______ | _ \ | | / \ | \ | ____| -| |_) | | | / ^ \ | .--. || |__ -| _ < | | / /_\ \ | | | || __| -| |_) | | `----./ _____ \ | '--' || |____ +| |_) | | | / ^ \ | .--. || |__ +| _ < | | / /_\ \ | | | || __| +| |_) | | `----./ _____ \ | '--' || |____ |______/ |_______/__/ \__\ |_______/ |_______| */ module partitionBlade 'modules/blade_partition.bicep' = { @@ -993,7 +999,7 @@ module partitionBlade 'modules/blade_partition.bicep' = { workspaceResourceId: logAnalytics.outputs.resourceId kvName: keyvault.outputs.name natClusterIP: clusterBlade.outputs.natClusterIP - + enableBlobPublicAccess: false partitions: configuration.partitions @@ -1013,17 +1019,17 @@ module partitionBlade 'modules/blade_partition.bicep' = { /* - ______ ______ .__ __. _______ __ _______ + ______ ______ .__ __. _______ __ _______ / | / __ \ | \ | | | ____|| | / _____| -| ,----'| | | | | \| | | |__ | | | | __ -| | | | | | | . ` | | __| | | | | |_ | -| `----.| `--' | | |\ | | | | | | |__| | - \______| \______/ |__| \__| |__| |__| \______| -.______ __ ___ _______ _______ +| ,----'| | | | | \| | | |__ | | | | __ +| | | | | | | . ` | | __| | | | | |_ | +| `----.| `--' | | |\ | | | | | | |__| | + \______| \______/ |__| \__| |__| |__| \______| +.______ __ ___ _______ _______ | _ \ | | / \ | \ | ____| -| |_) | | | / ^ \ | .--. || |__ -| _ < | | / /_\ \ | | | || __| -| |_) | | `----./ _____ \ | '--' || |____ +| |_) | | | / ^ \ | .--. || |__ +| _ < | | / /_\ \ | | | || __| +| |_) | | `----./ _____ \ | '--' || |____ |______/ |_______/__/ \__\ |_______/ |_______| */ module configBlade 'modules/blade_configuration.bicep' = { @@ -1059,7 +1065,7 @@ module configBlade 'modules/blade_configuration.bicep' = { appInsightsKey: insights.outputs.instrumentationKey partitionStorageNames: partitionBlade.outputs.partitionStorageNames partitionServiceBusNames: partitionBlade.outputs.partitionServiceBusNames - + clusterName: clusterBlade.outputs.clusterName oidcIssuerUrl: clusterBlade.outputs.oidcIssuerUrl clusterIngress: ingressType == '' ? 'External' : ingressType @@ -1081,11 +1087,18 @@ module configBlade 'modules/blade_configuration.bicep' = { contentType: 'text/plain' label: 'configmap-services' } + { + name: 'registry' + value: registry.outputs.loginServer + contentType: 'text/plain' + label: 'configmap-services' + } ] } dependsOn: [ clusterBlade partitionBlade + registry fluxExtension ] } diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json index 34aac859..909f8c70 100644 --- a/bicep/main.parameters.json +++ b/bicep/main.parameters.json @@ -14,9 +14,6 @@ "emailAddress": { "value": "${EMAIL_ADDRESS}" }, - "customVMSize": { - "value": "${CLUSTER_VM_SIZE}" - }, "ingressType": { "value": "${CLUSTER_INGRESS}" }, @@ -33,6 +30,13 @@ "enableLockDown": "${ENABLE_LOCK_DOWN}" } }, + "serverConfiguration": { + "value": { + "systemPool": "${VMSIZE_SYSTEM_POOL}", + "zonePool": "${VMSIZE_ZONE_POOL}", + "userPool": "${VMSIZE_USER_POOL}" + } + }, "vnetConfiguration": { "value": { "group": "${VIRTUAL_NETWORK_GROUP}", diff --git a/bicep/modules/blade_cluster.bicep b/bicep/modules/blade_cluster.bicep index 6a73ddd0..b66da5b9 100644 --- a/bicep/modules/blade_cluster.bicep +++ b/bicep/modules/blade_cluster.bicep @@ -17,18 +17,30 @@ param enableTelemetry bool @description('The workspace resource Id for diagnostics') param workspaceResourceId string -@description('A Custom VM Size for Internal Pool') -param vmSize string +// D4pds v5 with 4 vCPUs and 16 GiB of memory. Available in 22 regions starting from $88.18 per month. +// D4s_v5 with 4 vCPUs and 16 GiB of memory. Available in 50 regions starting from $140.16 per month. +@description('A Custom VM Size for System Pool (4x8 ARM:true)') +param vmSizeSystemPool string = 'Standard_D4pds_v6' + +// D2pds v5 with 2 vCPUs and 8 GiB of memory. Available in 22 regions starting from $44.09 per month. +// D2s_v5 with 2 vCPUs and 8 GiB of memory. Available in 50 regions starting from $70.08 per month. +@description('A Custom VM Size for Zone Pool (2x8 ARM:true)') +param vmSizeZonePool string = 'Standard_D2pds_v6' + +// B4s_v2 with 4 vCPUs and 16 GiB of memory. Available in 49 regions starting from $16.64 per month. +// D4s_v5 with 4 vCPUs and 16 GiB of memory. Available in 50 regions starting from $140.16 per month. +@description('A Custom VM Size for User Pool (2x8 ARM:false BURST:true)') +param vmSizeUserPool string = 'Standard_B4s_v2' @minLength(9) @maxLength(18) @description('The address range to use for services') -param serviceCidr string = '172.16.0.0/16' +param serviceCidr string = '10.0.0.0/16' @minLength(7) @maxLength(15) @description('The IP address to reserve for DNS') -param dnsServiceIP string = '172.16.0.10' +param dnsServiceIP string = '10.0.0.10' @description('The id of the subnet to deploy the AKS nodes') param aksSubnetId string @@ -51,6 +63,8 @@ param enablePrivateCluster bool = true @description('Feature Flag to Enable Node Resource Group Lock Down') param nodeResourceGroupLockDown bool = true + + ///////////////////////////////// // Configuration ///////////////////////////////// @@ -61,15 +75,18 @@ var serviceLayerConfig = { } cluster: { tier: 'Standard' + sku: 'Base' aksVersion: '1.30' - // D2pds v5 with 2 vCPUs and 8 GiB of memory. Available in 22 regions starting from $44.09 per month. - // D4pds v5 with 4 vCPUs and 16 GiB of memory. Available in 22 regions starting from $88.18 per month. - // D2s_v5 with 2 vCPUs and 8 GiB of memory. Available in 50 regions starting from $70.08 per month. - // D4s_v5 with 4 vCPUs and 16 GiB of memory. Available in 50 regions starting from $140.16 per month. - vmSize: 'Standard_D4pds_v5' - poolSize: 'Standard_D2pds_v5' - defaultSize: 'Standard_D4s_v5' // OSDU Java Services don't run on ARM? + // // D2pds v5 with 2 vCPUs and 8 GiB of memory. Available in 22 regions starting from $44.09 per month. + // // D4pds v5 with 4 vCPUs and 16 GiB of memory. Available in 22 regions starting from $88.18 per month. + // // D2s_v5 with 2 vCPUs and 8 GiB of memory. Available in 50 regions starting from $70.08 per month. + // // D4s_v5 with 4 vCPUs and 16 GiB of memory. Available in 50 regions starting from $140.16 per month. + // // D4ps_v5 with 4 vCPUs and 16 GiB of memory. Available in 23 regions, starting from $73.73 per month. + // // B4s_v2 with 4 vCPUs and 16 GiB of memory. Available in 49 regions starting from $16.64 per month. + // vmSize: 'Standard_D4pds_v6' + // poolSize: 'Standard_D2pds_v6' + // defaultSize: 'Standard_B4s_v2' // OSDU Java Services don't run on ARM? } } @@ -96,6 +113,7 @@ module cluster './managed-cluster/main.bicep' = { name: '${replace(bladeConfig.sectionName, '-', '')}${uniqueString(resourceGroup().id, bladeConfig.sectionName)}' location: location skuTier: serviceLayerConfig.cluster.tier + skuName: serviceLayerConfig.cluster.sku kubernetesVersion: serviceLayerConfig.cluster.aksVersion // Assign Tags @@ -209,7 +227,7 @@ module cluster './managed-cluster/main.bicep' = { { name: 'system' mode: 'System' - vmSize: empty(vmSize) ? serviceLayerConfig.cluster.vmSize : vmSize + vmSize: vmSizeSystemPool enableAutoScaling: !enableNodeAutoProvisioning count: enableNodeAutoProvisioning ? 2 : null minCount: enableNodeAutoProvisioning ? null : 2 @@ -237,7 +255,7 @@ module cluster './managed-cluster/main.bicep' = { { name: 'default' mode: 'User' - vmSize: empty(vmSize) ? serviceLayerConfig.cluster.defaultSize : vmSize + vmSize: vmSizeUserPool enableAutoScaling: !enableNodeAutoProvisioning count: enableNodeAutoProvisioning ? 4 : null minCount: enableNodeAutoProvisioning ? null : 4 @@ -256,7 +274,7 @@ module cluster './managed-cluster/main.bicep' = { { name: 'poolz1' mode: 'User' - vmSize: empty(vmSize) ? serviceLayerConfig.cluster.poolSize : vmSize + vmSize: vmSizeZonePool enableAutoScaling: !enableNodeAutoProvisioning minCount: enableNodeAutoProvisioning ? null : 1 maxCount: enableNodeAutoProvisioning ? null : 3 @@ -277,7 +295,7 @@ module cluster './managed-cluster/main.bicep' = { { name: 'poolz2' mode: 'User' - vmSize: empty(vmSize) ? serviceLayerConfig.cluster.poolSize : vmSize + vmSize: vmSizeZonePool enableAutoScaling: !enableNodeAutoProvisioning minCount: enableNodeAutoProvisioning ? null : 1 maxCount: enableNodeAutoProvisioning ? null : 3 @@ -298,7 +316,7 @@ module cluster './managed-cluster/main.bicep' = { { name: 'poolz3' mode: 'User' - vmSize: empty(vmSize) ? serviceLayerConfig.cluster.poolSize : vmSize + vmSize: vmSizeZonePool enableAutoScaling: !enableNodeAutoProvisioning minCount: enableNodeAutoProvisioning ? null : 1 maxCount: enableNodeAutoProvisioning ? null : 3 @@ -394,6 +412,9 @@ output natClusterIP string = natClusterIP.outputs.ipAddress @description('The OIDC Issuer URL for the cluster.') output oidcIssuerUrl string = cluster.outputs.oidcIssuerUrl +@description('The Object ID of the Kubelet Identity.') +output kubeletIdentityId string = cluster.outputs.kubeletIdentityObjectId + // =============== // // Definitions // // =============== // diff --git a/bicep/modules/blade_configuration.bicep b/bicep/modules/blade_configuration.bicep index 3b0feba8..a13a5a09 100644 --- a/bicep/modules/blade_configuration.bicep +++ b/bicep/modules/blade_configuration.bicep @@ -1,5 +1,5 @@ ///////////////// -// Configuration Blade +// Configuration Blade ///////////////// @description('The configuration for the blade section.') @@ -12,10 +12,10 @@ param location string param tags object = {} @description('The name of the Key Vault where the secret exists') -param kvName string +param kvName string @description('The Uri of the Key Vault where the secret exists') -param kvUri string +param kvUri string @description('The name of the cluster.') param clusterName string @@ -113,12 +113,21 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: kvName } -resource keySecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { +resource keySecretSpUsername 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { name: 'app-dev-sp-username' parent: keyVault properties: { - value: applicationClientId + value: appIdentity.properties.clientId + } +} + +resource keySecretSpPassword 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { + name: 'app-dev-sp-password' + parent: keyVault + + properties: { + value: 'dummy' } } @@ -169,12 +178,12 @@ var federatedIdentityCredentials = [ ] /* - _______ _______ _______ _______ .______ ___ .___________. __ ______ .__ __. -| ____|| ____|| \ | ____|| _ \ / \ | || | / __ \ | \ | | -| |__ | |__ | .--. || |__ | |_) | / ^ \ `---| |----`| | | | | | | \| | -| __| | __| | | | || __| | / / /_\ \ | | | | | | | | | . ` | -| | | |____ | '--' || |____ | |\ \----./ _____ \ | | | | | `--' | | |\ | -|__| |_______||_______/ |_______|| _| `._____/__/ \__\ |__| |__| \______/ |__| \__| + _______ _______ _______ _______ .______ ___ .___________. __ ______ .__ __. +| ____|| ____|| \ | ____|| _ \ / \ | || | / __ \ | \ | | +| |__ | |__ | .--. || |__ | |_) | / ^ \ `---| |----`| | | | | | | \| | +| __| | __| | | | || __| | / / /_\ \ | | | | | | | | | . ` | +| | | |____ | '--' || |____ | |\ \----./ _____ \ | | | | | `--' | | |\ | +|__| |_______||_______/ |_______|| _| `._____/__/ \__\ |__| |__| \______/ |__| \__| */ @batchSize(1) module federatedCredentials './federated_identity.bicep' = [for (cred, index) in federatedIdentityCredentials: { @@ -207,6 +216,12 @@ var common_helm_values = [ contentType: 'text/plain' label: 'configmap-common-values' } + { + name: 'AZURE_PAAS_WORKLOADIDENTITY_ISENABLED' + value: 'true' + contentType: 'text/plain' + label: 'configmap-common-values' + } { name: 'ACCEPT_HTTP' value: 'true' @@ -323,12 +338,12 @@ var partitionStorageSettings = [for (name, i) in partitionStorageNames: { }] /* - ___ .______ .______ ______ ______ .__ __. _______ __ _______ + ___ .______ .______ ______ ______ .__ __. _______ __ _______ / \ | _ \ | _ \ / | / __ \ | \ | | | ____|| | / _____| - / ^ \ | |_) | | |_) | | ,----'| | | | | \| | | |__ | | | | __ - / /_\ \ | ___/ | ___/ | | | | | | | . ` | | __| | | | | |_ | - / _____ \ | | | | | `----.| `--' | | |\ | | | | | | |__| | -/__/ \__\ | _| | _| \______| \______/ |__| \__| |__| |__| \______| + / ^ \ | |_) | | |_) | | ,----'| | | | | \| | | |__ | | | | __ + / /_\ \ | ___/ | ___/ | | | | | | | . ` | | __| | | | | |_ | + / _____ \ | | | | | `----.| `--' | | |\ | | | | | | |__| | +/__/ \__\ | _| | _| \______| \______/ |__| \__| |__| |__| \______| */ // AVM Module Customized due for east of settings. module app_config './app-configuration/main.bicep' = { @@ -397,12 +412,12 @@ values.yaml: | } /* - ______ ______ .__ __. _______ __ _______ .___ ___. ___ .______ - / | / __ \ | \ | | | ____|| | / _____|| \/ | / \ | _ \ -| ,----'| | | | | \| | | |__ | | | | __ | \ / | / ^ \ | |_) | -| | | | | | | . ` | | __| | | | | |_ | | |\/| | / /_\ \ | ___/ -| `----.| `--' | | |\ | | | | | | |__| | | | | | / _____ \ | | - \______| \______/ |__| \__| |__| |__| \______| |__| |__| /__/ \__\ | _| + ______ ______ .__ __. _______ __ _______ .___ ___. ___ .______ + / | / __ \ | \ | | | ____|| | / _____|| \/ | / \ | _ \ +| ,----'| | | | | \| | | |__ | | | | __ | \ / | / ^ \ | |_) | +| | | | | | | . ` | | __| | | | | |_ | | |\/| | / /_\ \ | ___/ +| `----.| `--' | | |\ | | | | | | |__| | | | | | / _____ \ | | + \______| \______/ |__| \__| |__| |__| \______| |__| |__| /__/ \__\ | _| */ module appConfigMap './aks-config-map/main.bicep' = { name: '${bladeConfig.sectionName}-cluster-appconfig-configmap' @@ -411,7 +426,7 @@ module appConfigMap './aks-config-map/main.bicep' = { location: location name: 'config-map-values' namespace: 'default' - + newOrExistingManagedIdentity: 'existing' managedIdentityName: managedIdentityName existingManagedIdentitySubId: subscription().subscriptionId @@ -419,8 +434,8 @@ module appConfigMap './aks-config-map/main.bicep' = { // Order of items matters here. fileData: [ - format(configMaps.appConfigTemplate, - subscription().tenantId, + format(configMaps.appConfigTemplate, + subscription().tenantId, appIdentity.properties.clientId, app_config.outputs.endpoint, kvUri, @@ -457,9 +472,9 @@ var serviceLayerConfig = { /* _______ __ .___________. ______ .______ _______. / _____|| | | | / __ \ | _ \ / | | | __ | | `---| |----`| | | | | |_) | | (----` -| | |_ | | | | | | | | | | ___/ \ \ -| |__| | | | | | | `--' | | | .----) | - \______| |__| |__| \______/ | _| |_______/ +| | |_ | | | | | | | | | | ___/ \ \ +| |__| | | | | | | `--' | | | .----) | + \______| |__| |__| \______/ | _| |_______/ */ //--------------Flux Config--------------- module fluxConfiguration 'br/public:avm/res/kubernetes-configuration/flux-configuration:0.3.3' = if(enableSoftwareLoad) { diff --git a/bicep/modules/blade_partition.bicep b/bicep/modules/blade_partition.bicep index 8df7b7e9..e8ff7836 100644 --- a/bicep/modules/blade_partition.bicep +++ b/bicep/modules/blade_partition.bicep @@ -1,5 +1,5 @@ ///////////////// -// Partition Blade +// Partition Blade ///////////////// @description('The configuration for the blade section.') @@ -25,7 +25,7 @@ param cmekConfiguration object = { } @description('The name of the Key Vault where the secret exists') -param kvName string +param kvName string @description('List of Data Partitions') param partitions array = [ @@ -41,7 +41,7 @@ param managedIdentityName string param natClusterIP string ///////////////////////////////// -// Configuration +// Configuration ///////////////////////////////// var partitionLayerConfig = { secrets: { @@ -434,7 +434,7 @@ var partitionLayerConfig = { } ] } - + ] } } @@ -463,12 +463,12 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { } -/* _______.___________. ______ .______ ___ _______ _______ +/* _______.___________. ______ .______ ___ _______ _______ / | | / __ \ | _ \ / \ / _____|| ____| - | (----`---| |----`| | | | | |_) | / ^ \ | | __ | |__ - \ \ | | | | | | | / / /_\ \ | | |_ | | __| -.----) | | | | `--' | | |\ \----./ _____ \ | |__| | | |____ -|_______/ |__| \______/ | _| `._____/__/ \__\ \______| |_______| + | (----`---| |----`| | | | | |_) | / ^ \ | | __ | |__ + \ \ | | | | | | | / / /_\ \ | | |_ | | __| +.----) | | | | `--' | | |\ \----./ _____ \ | |__| | | |____ +|_______/ |__| \______/ | _| `._____/__/ \__\ \______| |_______| */ // AVM Module Customized due to required Secrets. @@ -489,7 +489,7 @@ module storage 'storage-account/main.bicep' = [for (partition, index) in partiti purpose: 'data' } ) - + // Hook up Diagnostics diagnosticSettings: [ { @@ -538,7 +538,7 @@ module storage 'storage-account/main.bicep' = [for (partition, index) in partiti ] accessKey1: [ '${partition.name}-${partitionLayerConfig.secrets.storageAccountKey}' - ] + ] blobEndpoint: [ '${partition.name}-${partitionLayerConfig.secrets.storageAccountBlob}' ] @@ -547,7 +547,7 @@ module storage 'storage-account/main.bicep' = [for (partition, index) in partiti }] -module partitionDb './cosmos-db/main.bicep' = [for (partition, index) in partitions: { +module partitionDb './cosmos-db/main.bicep' = [for (partition, index) in partitions: { name: '${bladeConfig.sectionName}-cosmos-db-${index}' params: { #disable-next-line BCP335 @@ -585,7 +585,7 @@ module partitionDb './cosmos-db/main.bicep' = [for (partition, index) in partiti array(systemDatabase), array(partitionDatabase) ) : array(partitionDatabase) - + maxThroughput: partitionLayerConfig.database.throughput backupPolicyType: partitionLayerConfig.database.backup @@ -606,6 +606,24 @@ module partitionDb './cosmos-db/main.bicep' = [for (partition, index) in partiti }] +// First, create a variable to handle the subscription mapping +var topicsWithSubscriptions = [for topic in partitionLayerConfig.servicebus.topics: { + name: topic.name + maxSizeInMegabytes: topic.maxSizeInMegabytes + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + ] + subscriptions: topic.subscriptions ?? [] +}] + +// Then use this variable in the module module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.9.1' = [for (partition, index) in partitions: { name: '${bladeConfig.sectionName}-service-bus-${index}' params: { @@ -649,23 +667,7 @@ module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.9.1' = [for } ] - topics: [ - for topic in partitionLayerConfig.servicebus.topics: { - name: topic.name - maxSizeInMegabytes: topic.maxSizeInMegabytes - authorizationRules: [ - { - name: 'RootManageSharedAccessKey' - rights: [ - 'Listen' - 'Manage' - 'Send' - ] - } - ] - subscriptions: topic.subscriptions - } - ] + topics: topicsWithSubscriptions } }] @@ -680,16 +682,16 @@ module blobUpload 'br/public:avm/res/resources/deployment-script:0.4.0' = [for ( retentionInterval: 'PT1H' timeout: 'PT30M' runOnce: true - + managedIdentities: { userAssignedResourcesIds: [ stampIdentity.id ] - } + } kind: 'AzureCLI' azCliVersion: '2.63.0' - + environmentVariables: [ { name: 'CONTENT', value: loadTextContent('./deploy-scripts/Legal_COO.json') } { name: 'FILE_NAME', value: 'Legal_COO.json' } diff --git a/bicep/modules/keyvault_secrets.bicep b/bicep/modules/keyvault_secrets.bicep index 099d171c..d1b6fdb3 100644 --- a/bicep/modules/keyvault_secrets.bicep +++ b/bicep/modules/keyvault_secrets.bicep @@ -14,6 +14,11 @@ param insightsName string param cacheName string +@description('The name of the identity.') +@minLength(0) +param identityName string + + resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: keyVaultName } @@ -30,6 +35,10 @@ resource redis 'Microsoft.Cache/redis@2022-06-01' existing = { name: cacheName } +resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing = { + name: identityName +} + resource cachePassword 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { name: 'redis-password' parent: keyVault @@ -93,4 +102,13 @@ resource insightsConnection 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { } } +// resource identityClientIdSecret 'Microsoft.KeyVault/vaults/secrets@2023-07-01' = { +// name: 'app-dev-sp-id' +// parent: keyVault + +// properties: { +// value: identity.properties.clientId +// } +// } + output keyVaultName string = keyVault.name diff --git a/bicep/modules/managed-cluster/agent-pool/main.bicep b/bicep/modules/managed-cluster/agent-pool/main.bicep index 920a9000..807b9176 100644 --- a/bicep/modules/managed-cluster/agent-pool/main.bicep +++ b/bicep/modules/managed-cluster/agent-pool/main.bicep @@ -153,11 +153,11 @@ param workloadRuntime string? ]) param sshAccess string = 'Disabled' -resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-preview' existing = { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' existing = { name: managedClusterName } -resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2024-04-02-preview' = { +resource agentPool 'Microsoft.ContainerService/managedClusters/agentPools@2024-09-02-preview' = { name: name parent: managedCluster properties: { diff --git a/bicep/modules/managed-cluster/aks_appconfig_extension.bicep b/bicep/modules/managed-cluster/aks_appconfig_extension.bicep index 59406d80..093450b4 100644 --- a/bicep/modules/managed-cluster/aks_appconfig_extension.bicep +++ b/bicep/modules/managed-cluster/aks_appconfig_extension.bicep @@ -1,7 +1,7 @@ @description('The name of the Managed Cluster resource.') param clusterName string -resource existingManagedCluster 'Microsoft.ContainerService/managedClusters@2024-04-02-preview' existing = { +resource existingManagedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' existing = { name: clusterName } diff --git a/bicep/modules/managed-cluster/aks_policy.bicep b/bicep/modules/managed-cluster/aks_policy.bicep index f0da2abc..30e93bc4 100644 --- a/bicep/modules/managed-cluster/aks_policy.bicep +++ b/bicep/modules/managed-cluster/aks_policy.bicep @@ -1,12 +1,12 @@ @description('The name of the Azure Kubernetes Service Cluster') param clusterName string = '' -resource managedCluster 'Microsoft.ContainerService/managedClusters@2023-05-02-preview' existing = if (clusterName != '') { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' existing = if (clusterName != '') { name: clusterName } var policyDefinitionId = '/providers/Microsoft.Authorization/policySetDefinitions/c047ea8e-9c78-49b2-958b-37e56d291a44' -resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = { +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-05-01' = { name: 'aksDeploymentSafeguardsAssignment' scope: managedCluster properties: { diff --git a/bicep/modules/managed-cluster/main.bicep b/bicep/modules/managed-cluster/main.bicep index ee46ce95..3a8f2fed 100644 --- a/bicep/modules/managed-cluster/main.bicep +++ b/bicep/modules/managed-cluster/main.bicep @@ -553,7 +553,7 @@ resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empt // Main Resources // // ============== // -resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-04-02-preview' = { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' = { name: name location: location tags: tags @@ -870,7 +870,7 @@ module managedCluster_agentPools 'agent-pool/main.bicep' = [ } ] -module managedCluster_extension 'br/public:avm/res/kubernetes-configuration/extension:0.2.0' = if (!empty(fluxExtension)) { +module managedCluster_extension 'br/public:avm/res/kubernetes-configuration/extension:0.3.5' = if (!empty(fluxExtension)) { name: '${uniqueString(deployment().name, location)}-ManagedCluster-FluxExtension' params: { clusterName: managedCluster.name diff --git a/bicep/modules/managed-cluster/maintenance-configurations/main.bicep b/bicep/modules/managed-cluster/maintenance-configurations/main.bicep index 52f609f0..e6978a8a 100644 --- a/bicep/modules/managed-cluster/maintenance-configurations/main.bicep +++ b/bicep/modules/managed-cluster/maintenance-configurations/main.bicep @@ -11,11 +11,11 @@ param managedClusterName string @description('Optional. Name of the maintenance configuration.') param name string = 'aksManagedAutoUpgradeSchedule' -resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-preview' existing = { +resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' existing = { name: managedClusterName } -resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2023-10-01' = { +resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-09-02-preview' = { name: name parent: managedCluster properties: { diff --git a/charts/blob-upload/Chart.yaml b/charts/blob-upload/Chart.yaml index 76c69e0c..28fbe399 100644 --- a/charts/blob-upload/Chart.yaml +++ b/charts/blob-upload/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: blob-upload type: application description: Uploads files to Azure Blob Storage -version: 0.0.2 +version: 0.0.1 appVersion: 0.0.1 maintainers: - name: danielscholl diff --git a/charts/blob-upload/templates/storage-container-job.yaml b/charts/blob-upload/templates/storage-container-job.yaml index c2f0e658..78340d04 100644 --- a/charts/blob-upload/templates/storage-container-job.yaml +++ b/charts/blob-upload/templates/storage-container-job.yaml @@ -12,6 +12,9 @@ metadata: spec: ttlSecondsAfterFinished: 300 template: + metadata: + labels: + azure.workload.identity/use: "true" spec: serviceAccountName: workload-identity-sa containers: @@ -23,27 +26,35 @@ spec: - | # Install curl tdnf install -y curl - + # Download the file echo "Downloading file from {{ .url }}" curl -kso {{ .file }} "{{ .url }}" - - # Login using workload identity - az login --identity - + + echo "==================================================================" + echo " Logging in using Workload Identity" + echo "==================================================================" + + # Login using the federated token from the environment variable + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} || exit 1 + # Upload directly to blob storage using Azure CLI az storage blob upload \ -f {{ .file }} \ -c {{ $.Values.blobUpload.container }} \ -n {{ .file }} \ + --account-name {{ $value }} \ --overwrite \ - --auth-mode login - + --auth-mode login || exit 1 + echo "File uploaded to container {{ $.Values.blobUpload.container }} in storage account {{ $value }}" - sleep 300000 + exit 0 restartPolicy: Never {{- end }} {{- $i = add $i 1 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} \ No newline at end of file diff --git a/charts/osdu-developer-base/Chart.yaml b/charts/osdu-developer-base/Chart.yaml index 9150f73b..00b27091 100644 --- a/charts/osdu-developer-base/Chart.yaml +++ b/charts/osdu-developer-base/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: osdu-developer-base type: application description: Installs the OSDU developer Base Components -version: 0.0.3 +version: 0.0.2 appVersion: 0.0.1 maintainers: - name: danielscholl diff --git a/charts/osdu-developer-base/envoy-filter.md b/charts/osdu-developer-base/envoy-filter.md new file mode 100644 index 00000000..6abb6dcb --- /dev/null +++ b/charts/osdu-developer-base/envoy-filter.md @@ -0,0 +1,66 @@ +# Microsoft Identity Filter for Istio Envoy + +This contains the configuration and logic for an EnvoyFilter that processes Microsoft Azure Active Directory (AAD) tokens. The filter handles both AAD v1 and AAD v2 tokens to set well-known headers for downstream services, enabling proper identity and authorization context propagation. + +## Features + +- **Header Removal**: Ensures `x-user-id` and `x-app-id` headers are reset at the start of request processing. +- **Token Support**: Processes AAD v1 (sts.windows.net) and AAD v2 (login.microsoftonline.com) tokens. +- **Delegation Handling**: Supports OAuth delegation via `x-on-behalf-of` header. +- **Flexible Issuer Recognition**: Handles tokens from multiple issuers without assuming a fixed tenant ID. +- **Dynamic Metadata Logging**: Logs JWT payload for debugging and troubleshooting. +- **Error Handling**: Logs detailed errors for malformed tokens or unknown issuers. + +## Token Scenarios Handled + +| Use Case | Scenario | x-user-id | x-app-id | +|----------|--------------------------------------------|----------------------------------------|-----------------------------------| +| **UC1** | **AAD v1 User Token (sts.windows.net)** | `unique_name` (fallback: `oid`/`upn`) | `aud` | +| **UC2** | **AAD v1 Service-to-Service Delegation** | `x-on-behalf-of` (fallback: `appid`) | `aud` | +| **UC3** | **AAD v1 Application (non-delegated)** | `appid` | `aud` | +| **UC4** | **AAD v2 User Token (login.microsoftonline.com)** | `unique_name` (fallback: `oid`) | `aud` | +| **UC5** | **AAD v2 Service-to-Service Delegation** | `x-on-behalf-of` (fallback: `azp`) | `aud` | +| **UC6** | **AAD v2 Application (non-delegated)** | `azp` (fallback: `oid`) | `aud` | +| **UC7** | **Management Audience (`management.azure.com`)** | `entraClientId` | `entraClientId` | + +## OAuth Delegation (On-Behalf-Of) Flow + +- Enables a service to act on behalf of a user in a multi-service architecture. +- Uses `x-on-behalf-of` header to maintain user identity through the service chain. +- Sets `x-user-id` based on the original user's identity. + +## Flow Diagram + +The following diagram illustrates the logical flow of the EnvoyFilter: + +```mermaid +graph TD + A[Start: Incoming Request] --> B[Step 1: Remove Headers] + B --> C[Step 2: Retrieve JWT Metadata] + C -->|Metadata Found| D[Step 3: Log Payload] + C -->|No Metadata Found| E[End: Request Processing Halted] + D --> F[Step 4: Set x-app-id from 'aud'] + F --> F1{Check Management Audience} + F1 -->|aud = management.azure.com| F2[Set x-user-id and x-app-id to entraClientId] + F2 --> E + F1 -->|Other aud| G{Step 5: Check Issuer} + G -->|Issuer: AAD v1 sts.windows.net| H[Process AAD v1 Token] + G -->|Issuer: AAD v2 login.microsoftonline.com| I[Process AAD v2 Token] + G -->|Unknown Issuer| J[Log Error: Unknown Issuer] + H --> H1[Set x-user-id using unique_name, appid, or upn] + H1 --> K[Step 6: Log All Headers] + I --> I1[Set x-user-id using unique_name, oid, or azp] + I1 --> K + J --> K + K --> M[End: Request Forwarded] +``` + +## Debugging and Logging + +### Increase Logging Level +Use the following Istio commands to increase the logging level for debugging: + +```bash +# Enable detailed logging for Lua, JWT, and RBAC +istioctl proxy-config log --level lua:debug,jwt:debug,rbac:debug +``` diff --git a/charts/osdu-developer-base/templates/envoy-filter.yaml b/charts/osdu-developer-base/templates/envoy-filter.yaml index 281cb0bd..2a8e1ae3 100644 --- a/charts/osdu-developer-base/templates/envoy-filter.yaml +++ b/charts/osdu-developer-base/templates/envoy-filter.yaml @@ -1,7 +1,10 @@ -# This command increases logging --> istioctl proxy-config log --level lua:debug +{{- $namespace := .Release.Namespace }} +{{- $entraClientId := .Values.azure.clientId }} + apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: + namespace: {{ $namespace }} name: microsoft-identity-filter spec: configPatches: @@ -12,84 +15,129 @@ spec: filterChain: filter: name: envoy.filters.network.http_connection_manager - subFilter: + subFilter: name: envoy.filters.http.router patch: operation: INSERT_BEFORE value: - name: envoy.lua.remove-user-appid-header + name: envoy.lua.microsoft-identity-filter typed_config: "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua" inlineCode: | - function envoy_on_request(request_handle) - -- Remove the Well Known Headers - request_handle:headers():remove("x-user-id") - request_handle:headers():remove("x-app-id") - request_handle:logInfo("x-user-id and x-app-id headers removed") - - -- Retrieve the JWT Payload - local meta = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn") + -- Constants + local AAD_V1_ISSUER = "sts.windows.net" + local AAD_V2_ISSUER = "login.microsoftonline.com" + local entraClientId = "{{ $entraClientId }}" - if meta and meta["payload"] then - local payload = meta["payload"] - request_handle:logDebug("JWT Payload: " .. tableToString(payload)) + -- Helper function to log a table + function tableToString(tbl, indent) + if not indent then indent = 0 end + if type(tbl) ~= 'table' then return tostring(tbl) end + local lines = {} + for k, v in pairs(tbl) do + local formatting = string.rep(" ", indent) .. k .. ": " + if type(v) == "table" then + table.insert(lines, formatting) + table.insert(lines, tableToString(v, indent + 1)) + else + table.insert(lines, formatting .. tostring(v)) + end + end + return table.concat(lines, "\n") + end - -- Set the x-app-id Well Known Header if 'aud' claim is present - if payload["aud"] then - request_handle:headers():add("x-app-id", payload["aud"]) - request_handle:logWarn("x-app-id set from 'aud' claim: " .. payload["aud"]) - else - request_handle:logError("JWT Payload does not contain 'aud' claim; cannot set x-app-id") - end + -- Function to log all headers + function logAllHeaders(request_handle) + local headers = request_handle:headers() + for key, value in pairs(headers) do + request_handle:logInfo("Header: " .. key .. " = " .. value) + end + end - -- Check issuer - if string.find(payload["iss"], "sts.windows.net") then - -- Set Well Known Header with an order of preference: upn, unique_name, appid - if payload["upn"] then - request_handle:headers():add("x-user-id", payload["upn"]) - request_handle:logWarn("x-user-id set from 'upn' claim: " .. payload["upn"]) - elseif payload["unique_name"] then - request_handle:headers():add("x-user-id", payload["unique_name"]) - request_handle:logWarn("x-user-id set from 'unique_name' claim: " .. payload["unique_name"]) - elseif payload["appid"] then - request_handle:headers():add("x-user-id", payload["appid"]) - request_handle:logWarn("x-user-id set from 'appid' claim: " .. payload["appid"]) - else - request_handle:logError("No valid user ID claim (upn, unique_name, appid) found for sts.windows.net") - end + -- Process AAD v1 tokens + function processAADV1Token(payload, request_handle) + if payload["unique_name"] then + request_handle:headers():add("x-user-id", payload["unique_name"]) + request_handle:logWarn("UC1-(AAD v1 User Token (sts.windows.net)): x-user-id set from 'unique_name' claim") + elseif payload["oid"] then + request_handle:headers():add("x-user-id", payload["appid"]) + request_handle:logWarn("UC1-(AAD v1 User Token (sts.windows.net)): x-user-id set from 'appid' claim as fallback") + elseif payload["upn"] then + request_handle:headers():add("x-user-id", payload["upn"]) + request_handle:logWarn("UC1-(AAD v1 User Token (sts.windows.net)): x-user-id set from 'upn' claim as fallback") + else + request_handle:logError("UC1-(AAD v1 User Token (sts.windows.net)): No valid claim for x-user-id found in AAD v1 token") + end + end - elseif string.find(payload["iss"], "login.microsoftonline.com") then - -- Set Well Known Header with an order of preference: azp, oid - if payload["azp"] then - request_handle:headers():add("x-user-id", payload["azp"]) - request_handle:logWarn("x-user-id set from 'azp' claim: " .. payload["azp"]) - elseif payload["oid"] then - request_handle:headers():add("x-user-id", payload["oid"]) - request_handle:logWarn("x-user-id set from 'oid' claim: " .. payload["oid"]) - else - request_handle:logError("No valid user ID claim (azp, oid) found for login.microsoftonline.com") - end - else - request_handle:logError("Issuer does not match known issuers") - end - else - request_handle:logError("No JWT metadata found or payload is malformed") - end + -- Process AAD v2 tokens + function processAADV2Token(payload, request_handle) + if payload["unique_name"] then + request_handle:headers():add("x-user-id", payload["unique_name"]) + request_handle:logWarn("UC4-(AAD v2 User Token (login.microsoftonline.com)): x-user-id set from 'unique_name' claim") + elseif payload["oid"] then + request_handle:headers():add("x-user-id", payload["oid"]) + request_handle:logWarn("UC4-(AAD v2 User Token (login.microsoftonline.com)): x-user-id set from 'oid' claim as fallback") + elseif payload["azp"] then + request_handle:headers():add("x-user-id", payload["azp"]) + request_handle:logWarn("UC4-(AAD v2 User Token (login.microsoftonline.com)): x-user-id set from 'azp' claim as fallback") + else + request_handle:logError("UC4-(AAD v2 User Token (login.microsoftonline.com)): No valid claim for x-user-id found in AAD v2 token") + end end - -- Helper function to convert a table to a string for logging - function tableToString(tbl, indent) - if not indent then indent = 0 end - if type(tbl) ~= 'table' then return tostring(tbl) end - local lines = {} - for k, v in pairs(tbl) do - local formatting = string.rep(" ", indent) .. k .. ": " - if type(v) == "table" then - table.insert(lines, formatting) - table.insert(lines, tableToString(v, indent+1)) - else - table.insert(lines, formatting .. tostring(v)) - end + -- Main processing function + function envoy_on_request(request_handle) + -- Step 1: Remove existing headers + request_handle:headers():remove("x-user-id") + request_handle:headers():remove("x-app-id") + request_handle:logWarn("x-user-id and x-app-id headers removed") + + -- Step 2: Retrieve JWT metadata + local meta = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn") + if not meta or not meta["payload"] then + request_handle:logError("No JWT metadata or payload found") + return + end + local payload = meta["payload"] + + -- Step 3: Log raw payload for debugging + request_handle:logDebug("JWT payload: " .. tableToString(payload)) + + -- Step 4: Process audience (aud) claim + local aud = payload["aud"] + if aud then + request_handle:headers():add("x-app-id", aud) + request_handle:logDebug("x-app-id set from 'aud' claim: " .. aud) + -- Special handling for audience "https://management.azure.com/" + if aud == "https://management.azure.com/" then + local managedClientId = payload["appid"] + if managedClientId then + request_handle:headers():add("x-user-id", entraClientId) + request_handle:headers():replace("x-app-id", entraClientId) + request_handle:logWarn("UC7-(Management Audience): x-user-id and x-app-id set to 'appid' claim for management.azure.com audience") + else + request_handle:logError("No 'appid' claim found for management.azure.com audience") + end + return -- Exit early as we don't need further processing for this case end - return table.concat(lines, "\n") + else + request_handle:logError("No 'aud' claim found in payload") + end + + -- Step 5: Process issuer (iss) for additional logic + local iss = payload["iss"] + if iss and string.find(iss, AAD_V1_ISSUER) then + request_handle:logDebug("Processing AAD v1 token") + processAADV1Token(payload, request_handle) + elseif iss and string.find(iss, AAD_V2_ISSUER) then + request_handle:logDebug("Processing AAD v2 token") + processAADV2Token(payload, request_handle) + else + request_handle:logError("Unknown issuer: " .. (iss or "nil")) + end + + -- Step 6: Log all headers before leaving the filter + request_handle:logDebug("Logging all headers before leaving the filter:") + logAllHeaders(request_handle) end \ No newline at end of file diff --git a/charts/osdu-developer-base/templates/request-authentication.yaml b/charts/osdu-developer-base/templates/request-authentication.yaml index f9c05634..f2366b7a 100644 --- a/charts/osdu-developer-base/templates/request-authentication.yaml +++ b/charts/osdu-developer-base/templates/request-authentication.yaml @@ -1,6 +1,7 @@ {{- if .Values.enableRequestAuthentication }} {{- $tenantId := .Values.azure.tenantId -}} {{- $appId := .Values.azure.appId -}} +{{- $clientId := .Values.azure.clientId -}} apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: @@ -9,9 +10,11 @@ metadata: spec: jwtRules: - issuer: "https://sts.windows.net/{{ $tenantId }}/" - jwksUri: "https://login.microsoftonline.com:443/common/discovery/v2.0/keys" + jwksUri: "https://login.microsoftonline.com/common/discovery/v2.0/keys" audiences: - "{{ $appId }}" + - "{{ $clientId }}" + - "https://management.azure.com" outputPayloadToHeader: "x-payload" forwardOriginalToken: true fromHeaders: @@ -21,6 +24,7 @@ spec: jwksUri: "https://login.microsoftonline.com/common/discovery/v2.0/keys" audiences: - "{{ $appId }}" + - "{{ $clientId }}" outputPayloadToHeader: "x-payload" forwardOriginalToken: true fromHeaders: diff --git a/charts/osdu-developer-init/Chart.yaml b/charts/osdu-developer-init/Chart.yaml index af8bcbbf..2f97a4f5 100644 --- a/charts/osdu-developer-init/Chart.yaml +++ b/charts/osdu-developer-init/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: osdu-developer-init type: application description: Installs the OSDU developer Initialization resources -version: 0.0.1 +version: 0.0.2 appVersion: 0.0.1 maintainers: - name: danielscholl diff --git a/charts/osdu-developer-init/README.md b/charts/osdu-developer-init/README.md index c5dd7e4f..f6e58e3e 100644 --- a/charts/osdu-developer-init/README.md +++ b/charts/osdu-developer-init/README.md @@ -9,11 +9,11 @@ cat > custom_values.yaml << EOF nameOverride: "" fullnameOverride: "osdu-init" -tenantId: -clientId: -clientSecret: -serviceBus: -partition: +tenantId: +clientId: +clientSecret: +serviceBus: +partition: EOF @@ -24,7 +24,7 @@ Install the helm chart. ```bash # Create Namespace NAMESPACE=osdu-core -helm template osdu-core -f custom_values.yaml . +helm template osdu-core-osdu-init-user -f custom_values.yaml . -helm upgrade --install osdu-core . -n $NAMESPACE -f custom_values.yaml +helm upgrade --install osdu-core-osdu-init-partition . -n $NAMESPACE -f custom_values.yaml ``` diff --git a/charts/osdu-developer-init/templates/_helpers.tpl b/charts/osdu-developer-init/templates/_helpers.tpl index 3ec562c2..df218aae 100644 --- a/charts/osdu-developer-init/templates/_helpers.tpl +++ b/charts/osdu-developer-init/templates/_helpers.tpl @@ -55,20 +55,28 @@ app.kubernetes.io/instance: {{ .Release.Name }} Determine if the installation type is enabled */}} {{- define "osdu-developer-init.isEnabled" -}} - {{- $installationType := .Values.installationType | default "osduCore" -}} - {{- if eq $installationType "osduReference" -}} - {{- if hasKey .Values "osduReferenceEnabled" -}} - {{- if eq .Values.osduReferenceEnabled "true" }}1{{else}}0{{end -}} + {{- if hasKey .Values "installationType" -}} + {{- $installationType := .Values.installationType | default "osduCore" -}} + {{- if eq $installationType "osduReference" -}} + {{- if hasKey .Values "osduReferenceEnabled" -}} + {{- if eq .Values.osduReferenceEnabled "true" }}1{{else}}0{{end -}} + {{- else -}} + {{- 0 -}} + {{- end -}} + {{- else if eq $installationType "osduCore" -}} + {{- if hasKey .Values "osduCoreEnabled" -}} + {{- if eq .Values.osduCoreEnabled "true" }}1{{else}}0{{end -}} + {{- else -}} + {{- 0 -}} + {{- end -}} {{- else -}} {{- 0 -}} {{- end -}} - {{- else if eq $installationType "osduCore" -}} - {{- if hasKey .Values "osduCoreEnabled" -}} - {{- if eq .Values.osduCoreEnabled "true" }}1{{else}}0{{end -}} + {{- else -}} + {{- if and (hasKey .Values "jobs") (hasKey .Values.jobs "userInit") -}} + {{- if eq .Values.jobs.userInit true }}1{{else}}0{{end -}} {{- else -}} {{- 0 -}} {{- end -}} - {{- else -}} - {{- 0 -}} {{- end -}} {{- end }} \ No newline at end of file diff --git a/charts/osdu-developer-init/templates/entitlement-init.yaml b/charts/osdu-developer-init/templates/entitlement-init.yaml index 73392af2..e0f83f38 100644 --- a/charts/osdu-developer-init/templates/entitlement-init.yaml +++ b/charts/osdu-developer-init/templates/entitlement-init.yaml @@ -10,7 +10,11 @@ metadata: spec: ttlSecondsAfterFinished: 120 template: + metadata: + labels: + azure.workload.identity/use: "true" spec: + serviceAccountName: workload-identity-sa volumes: - name: script configMap: @@ -18,7 +22,7 @@ spec: defaultMode: 0500 initContainers: - name: data-seed - image: alpine + image: mcr.microsoft.com/azure-cli:cbl-mariner2.0 command: - script/init.sh volumeMounts: @@ -27,17 +31,12 @@ spec: env: - name: NAMESPACE value: {{ $namespace }} - - name: PARTITION - value: {{ .Values.partition | quote }} - name: AZURE_TENANT_ID value: {{ .Values.tenantId | quote }} - - name: AZURE_CLIENT_ID + - name: AZURE_AD_APPLICATION_ID value: {{ .Values.clientId | quote }} - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ .Values.clientSecret.name | quote }} - key: {{ .Values.clientSecret.key | quote }} + - name: PARTITION + value: {{ .Values.partition | quote }} containers: - name: sleep image: istio/base @@ -58,30 +57,20 @@ data: set -euo pipefail set -o nounset - apk add --no-cache curl jq + tdnf install -y curl jq echo "==================================================================" - echo " Creating Bearer Token for Application: ${AZURE_CLIENT_ID} " + echo " Logging in using Workload Identity" echo "==================================================================" - echo " Identity Client Id: ${AZURE_CLIENT_ID}" - OUTPUT=$(curl -s -w "%{http_code}" --request POST \ - --url https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/token \ - --header "content-type: application/x-www-form-urlencoded" \ - --data "grant_type=client_credentials" \ - --data "client_id=${AZURE_CLIENT_ID}" \ - --data "client_secret=${AZURE_CLIENT_SECRET}" \ - --data "resource=${AZURE_CLIENT_ID}") + # Login using the federated token from the environment variable + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} - HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') - BODY=${OUTPUT%???} - - if [[ "$HTTP_STATUS_CODE" != "200" ]]; then - echo "Error: Unexpected HTTP status code $HTTP_STATUS_CODE" - exit 1 - fi - - TOKEN=$(echo "$BODY" | jq .access_token | tr -d '"') + # Get token (no resource needed) + TOKEN=$(az account get-access-token --resource "https://management.azure.com/" --query accessToken -o tsv) OUTPUT=$(curl -s -w "%{http_code}" --request POST \ --url http://entitlements.{{ $namespace }}/api/entitlements/v2/tenant-provisioning \ @@ -93,7 +82,7 @@ data: HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') BODY=${OUTPUT%???} - + if [ "$HTTP_STATUS_CODE" == "200" ]; then echo "Success: $(echo "$BODY" | jq .)" else diff --git a/charts/osdu-developer-init/templates/partition-init.yaml b/charts/osdu-developer-init/templates/partition-init.yaml index aef03b35..9a9acd85 100644 --- a/charts/osdu-developer-init/templates/partition-init.yaml +++ b/charts/osdu-developer-init/templates/partition-init.yaml @@ -10,7 +10,11 @@ metadata: spec: ttlSecondsAfterFinished: 120 template: + metadata: + labels: + azure.workload.identity/use: "true" spec: + serviceAccountName: workload-identity-sa volumes: - name: script configMap: @@ -18,7 +22,7 @@ spec: defaultMode: 0500 initContainers: - name: data-seed - image: alpine + image: mcr.microsoft.com/azure-cli:cbl-mariner2.0 command: - script/init.sh volumeMounts: @@ -27,19 +31,14 @@ spec: env: - name: NAMESPACE value: {{ $namespace }} + - name: AZURE_TENANT_ID + value: {{ .Values.tenantId | quote }} + - name: AZURE_AD_APPLICATION_ID + value: {{ .Values.clientId | quote }} - name: PARTITION value: {{ .Values.partition | quote }} - name: SERVICE_BUS_NAME value: {{ .Values.serviceBus | quote }} - - name: AZURE_TENANT_ID - value: {{ .Values.tenantId | quote }} - - name: AZURE_CLIENT_ID - value: {{ .Values.clientId | quote }} - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ .Values.clientSecret.name | quote }} - key: {{ .Values.clientSecret.key | quote }} containers: - name: sleep image: istio/base @@ -204,30 +203,20 @@ data: set -euo pipefail set -o nounset - apk add --no-cache curl jq + tdnf install -y curl jq echo "==================================================================" - echo " Creating Bearer Token for Application: ${AZURE_CLIENT_ID} " + echo " Logging in using Workload Identity" echo "==================================================================" - echo " Identity Client Id: ${AZURE_CLIENT_ID}" - OUTPUT=$(curl -s -w "%{http_code}" --request POST \ - --url https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/token \ - --header "content-type: application/x-www-form-urlencoded" \ - --data "grant_type=client_credentials" \ - --data "client_id=${AZURE_CLIENT_ID}" \ - --data "client_secret=${AZURE_CLIENT_SECRET}" \ - --data "resource=${AZURE_CLIENT_ID}") + # Login using the federated token from the environment variable + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} - HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') - BODY=${OUTPUT%???} - - if [[ "$HTTP_STATUS_CODE" != "200" ]]; then - echo "Error: Unexpected HTTP status code $HTTP_STATUS_CODE" - exit 1 - fi - - TOKEN=$(echo "$BODY" | jq .access_token | tr -d '"') + # Get token with the correct application ID as resource + TOKEN=$(az account get-access-token --resource "https://management.azure.com/" --query accessToken -o tsv) OUTPUT=$(curl -s -w "%{http_code}" --request POST \ --url http://partition.{{ $namespace }}/api/partition/v1/partitions/${PARTITION} \ @@ -240,7 +229,7 @@ data: HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') BODY=${OUTPUT%???} - + if [ "$HTTP_STATUS_CODE" == "201" ]; then echo "Success: $(echo "$BODY" | jq .)" elif [ "$HTTP_STATUS_CODE" == "409" ]; then diff --git a/charts/osdu-developer-init/templates/schema-init.yaml b/charts/osdu-developer-init/templates/schema-init.yaml index 9a66b61e..f32ea282 100644 --- a/charts/osdu-developer-init/templates/schema-init.yaml +++ b/charts/osdu-developer-init/templates/schema-init.yaml @@ -10,12 +10,20 @@ metadata: spec: ttlSecondsAfterFinished: 120 template: + metadata: + labels: + azure.workload.identity/use: "true" spec: + serviceAccountName: workload-identity-sa volumes: - name: script configMap: name: schema-init-script defaultMode: 0777 + - name: token + configMap: + name: schema-init-script + defaultMode: 0777 initContainers: - name: data-seed image: community.opengroup.org:5555/osdu/platform/system/schema-service/schema-service-schema-load-release-0-27:beb6f65c1d9c303e86a6047adc93b2192d0c62ba @@ -23,6 +31,9 @@ spec: - name: script mountPath: "/home/osdu/deployments/scripts/azure/bootstrap.sh" subPath: init.sh + - name: token + mountPath: "/home/osdu/deployments/scripts/azure/Token.py" + subPath: token.py env: - name: DATA_PARTITION value: {{ .Values.partition | quote }} @@ -30,13 +41,6 @@ spec: value: {{ .Values.clientId | quote }} - name: AZURE_TENANT_ID value: {{ .Values.tenantId | quote }} - - name: AZURE_CLIENT_ID - value: {{ .Values.clientId | quote }} - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ .Values.clientSecret.name | quote }} - key: {{ .Values.clientSecret.key | quote }} containers: - name: sleep image: istio/base @@ -79,7 +83,17 @@ data: currentMessage="Schema loading failed. Please check error logs for more details." fi if [ ! -z "$CONFIG_MAP_NAME" -a "$CONFIG_MAP_NAME" != " " ]; then - az login --identity --username $OSDU_IDENTITY_ID + + echo "==================================================================" + echo " Logging in using Workload Identity" + echo "==================================================================" + + # Login using the federated token from the environment variable + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} + ENV_AKS=$(az aks list --resource-group $RESOURCE_GROUP_NAME --query [].name -otsv) az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $ENV_AKS kubectl config set-context $RESOURCE_GROUP_NAME --cluster $ENV_AKS @@ -101,4 +115,56 @@ data: else exit 1 fi + token.py: | + import os + import msal + + class AzureToken(object): + def get_azure_id_token(self): + tenant_id = os.getenv('AZURE_TENANT_ID') + client_id = os.getenv('AZURE_CLIENT_ID') + + # Read the federated token provided by workload identity + token_path = os.getenv('AZURE_FEDERATED_TOKEN_FILE', '/var/run/secrets/azure/tokens/azure-identity-token') + + if not all([tenant_id, client_id]): + print('Missing required environment variables: AZURE_TENANT_ID and AZURE_CLIENT_ID are required') + exit(1) + + try: + # Read the federated token + with open(token_path, 'r') as f: + federated_token = f.read().strip() + + authority_host_uri = 'https://login.microsoftonline.com' + authority_uri = authority_host_uri + '/' + tenant_id + + # Configure MSAL for federated token exchange + app = msal.ConfidentialClientApplication( + client_id=client_id, + authority=authority_uri, + client_credential={ + "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", + "client_assertion": federated_token + } + ) + + # Use the same scope as az cli would use + scopes = ["https://management.azure.com/.default"] + result = app.acquire_token_for_client(scopes=scopes) + + if 'access_token' in result: + token = 'Bearer ' + result['access_token'] + print(token) + return token + else: + print(f"Error getting token: {result.get('error_description', 'Unknown error')}") + exit(1) + + except Exception as e: + print(f"Error: {str(e)}") + exit(1) + + if __name__ == '__main__': + AzureToken().get_azure_id_token() {{- end }} diff --git a/charts/osdu-developer-init/templates/user-init.yaml b/charts/osdu-developer-init/templates/user-init.yaml index 23ff0474..bd1ebc7b 100644 --- a/charts/osdu-developer-init/templates/user-init.yaml +++ b/charts/osdu-developer-init/templates/user-init.yaml @@ -1,56 +1,42 @@ {{- $enabled := eq (include "osdu-developer-init.isEnabled" .) "1" -}} {{- $namespace := .Release.Namespace -}} +{{- $releaseName := .Release.Name -}} {{- if and $enabled .Values.jobs.userInit }} --- apiVersion: batch/v1 kind: Job metadata: - name: user-init - namespace: osdu-core # Ensure the correct namespace + name: {{ $releaseName }} + namespace: {{ $namespace }} spec: ttlSecondsAfterFinished: 120 template: + metadata: + labels: + azure.workload.identity/use: "true" spec: + serviceAccountName: workload-identity-sa volumes: - name: script configMap: - name: user-init-script + name: configmap-{{ $releaseName }}-script defaultMode: 0500 initContainers: - name: data-seed - image: mcr.microsoft.com/cbl-mariner/base/core:2.0 - command: ["/bin/sh"] - args: - - -c - - | - tdnf install -y curl jq && \ - /script/init.sh + image: mcr.microsoft.com/azure-cli:cbl-mariner2.0 + command: + - /script/init.sh volumeMounts: - name: script mountPath: "/script" env: - - name: AUTH_CODE - value: "" # Placeholder value - - name: AZURE_TENANT_ID - value: {{ .Values.tenantId | quote }} - - name: AZURE_CLIENT_ID - value: {{ .Values.clientId | quote }} - name: EMAIL_ADDRESS value: {{ .Values.emailAddress | quote }} - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ .Values.clientSecret.name | quote }} - key: {{ .Values.clientSecret.key | quote }} - - name: PARTITION - value: {{ .Values.partition | quote }} - - name: AUTH_INGRESS - value: {{ .Values.authIngress | quote }} containers: - name: sleep image: istio/base command: ["/bin/sleep", "30"] - volumeMounts: # Ensure this container also mounts the volume if needed + volumeMounts: - name: script mountPath: "/script" restartPolicy: Never @@ -58,43 +44,34 @@ spec: apiVersion: v1 kind: ConfigMap metadata: - name: user-init-script - namespace: osdu-core # Ensure the correct namespace + name: configmap-{{ $releaseName }}-script + namespace: {{ $namespace }} data: init.sh: | #!/usr/bin/env sh set -euo pipefail set -o nounset + tdnf install -y curl jq + echo "==================================================================" - echo " Creating Bearer Token for Application: ${AZURE_CLIENT_ID} " + echo " Logging in using Workload Identity" echo "==================================================================" - OUTPUT=$(curl -s -k -w "%{http_code}" --request POST \ - --url https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/token \ - --header "content-type: application/x-www-form-urlencoded" \ - --data "grant_type=client_credentials" \ - --data "client_id=${AZURE_CLIENT_ID}" \ - --data "client_secret=${AZURE_CLIENT_SECRET}" \ - --data "resource=${AZURE_CLIENT_ID}") - - HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') - BODY=${OUTPUT%???} - - if [[ "$HTTP_STATUS_CODE" != "200" ]]; then - echo "Error: Unexpected HTTP status code $HTTP_STATUS_CODE" - echo "Response body: $BODY" - exit 1 - fi + # Login using the federated token from the environment variable + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} - TOKEN=$(echo "$BODY" | jq .access_token | tr -d '"') + # Get token (no resource needed) + TOKEN=$(az account get-access-token --resource "https://management.azure.com/" --query accessToken -o tsv) echo "==================================================================" echo " Adding the first user... " echo "==================================================================" - AUTH_USER="${EMAIL_ADDRESS}" - json_payload=$(jq -n --arg email "$AUTH_USER" '{"email": $email, "role": "MEMBER"}') + json_payload=$(jq -n --arg email "$EMAIL_ADDRESS" '{"email": $email, "role": "MEMBER"}') OUTPUT=$(curl -s -k -w "%{http_code}" -X POST "http://entitlements.{{ $namespace }}/api/entitlements/v2/groups/users@opendes.dataservices.energy/members" \ --insecure \ @@ -147,4 +124,4 @@ data: fi exit 0 -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/osdu-developer-init/templates/workflow-init.yaml b/charts/osdu-developer-init/templates/workflow-init.yaml index 74456450..93827121 100644 --- a/charts/osdu-developer-init/templates/workflow-init.yaml +++ b/charts/osdu-developer-init/templates/workflow-init.yaml @@ -10,7 +10,11 @@ metadata: spec: ttlSecondsAfterFinished: 120 template: + metadata: + labels: + azure.workload.identity/use: "true" spec: + serviceAccountName: workload-identity-sa volumes: - name: script configMap: @@ -18,7 +22,7 @@ spec: defaultMode: 0500 initContainers: - name: data-seed - image: alpine + image: mcr.microsoft.com/azure-cli:cbl-mariner2.0 command: - script/init.sh volumeMounts: @@ -29,15 +33,6 @@ spec: value: {{ $namespace }} - name: PARTITION value: {{ .Values.partition | quote }} - - name: AZURE_TENANT_ID - value: {{ .Values.tenantId | quote }} - - name: AZURE_CLIENT_ID - value: {{ .Values.clientId | quote }} - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ .Values.clientSecret.name | quote }} - key: {{ .Values.clientSecret.key | quote }} - name: WORKFLOWS value: {{ .Values.workflows | toJson | quote }} containers: @@ -60,30 +55,20 @@ data: set -euo pipefail set -o nounset - apk add --no-cache curl jq + tdnf install -y curl jq echo "==================================================================" - echo " Creating Bearer Token for Application: ${AZURE_CLIENT_ID} " + echo " Logging in using Workload Identity" echo "==================================================================" - echo " Identity Client Id: ${AZURE_CLIENT_ID}" - OUTPUT=$(curl -s -w "%{http_code}" --request POST \ - --url https://login.microsoftonline.com/${AZURE_TENANT_ID}/oauth2/token \ - --header "content-type: application/x-www-form-urlencoded" \ - --data "grant_type=client_credentials" \ - --data "client_id=${AZURE_CLIENT_ID}" \ - --data "client_secret=${AZURE_CLIENT_SECRET}" \ - --data "resource=${AZURE_CLIENT_ID}") + # Login using the federated token from the environment variable + az login --federated-token "$(cat ${AZURE_FEDERATED_TOKEN_FILE})" \ + --service-principal \ + -u ${AZURE_CLIENT_ID} \ + -t ${AZURE_TENANT_ID} - HTTP_STATUS_CODE=$(echo $OUTPUT | grep -oE '[0-9]{3}$') - BODY=${OUTPUT%???} - - if [[ "$HTTP_STATUS_CODE" != "200" ]]; then - echo "Error: Unexpected HTTP status code $HTTP_STATUS_CODE" - exit 1 - fi - - TOKEN=$(echo "$BODY" | jq .access_token | tr -d '"') + # Get token with the correct application ID as resource + TOKEN=$(az account get-access-token --resource "https://management.azure.com/" --query accessToken -o tsv) # Log the WORKFLOWS variable to check its format echo "WORKFLOWS: $WORKFLOWS" diff --git a/charts/osdu-developer-init/values.yaml b/charts/osdu-developer-init/values.yaml index 8853f655..f7260e43 100644 --- a/charts/osdu-developer-init/values.yaml +++ b/charts/osdu-developer-init/values.yaml @@ -1,6 +1,5 @@ -tenantId: -clientId: -clientSecret: -serviceBus: -partition: - \ No newline at end of file +tenantId: +clientId: +clientSecret: +serviceBus: +partition: diff --git a/charts/osdu-developer-service/templates/deployment.yaml b/charts/osdu-developer-service/templates/deployment.yaml index f27f743f..430ff1da 100644 --- a/charts/osdu-developer-service/templates/deployment.yaml +++ b/charts/osdu-developer-service/templates/deployment.yaml @@ -37,10 +37,12 @@ spec: {{- end }} labels: {{ $selectorLabels }} app: {{ or .service .scaledObject }} + azure.workload.identity/use: "true" {{- if $subset }} version: {{ $subset }} {{- end }} spec: + serviceAccountName: {{ .serviceAccountName | default "workload-identity-sa" }} {{- if $nodePool }} nodeSelector: nodepool: {{ $nodePool }} @@ -89,7 +91,6 @@ spec: persistentVolumeClaim: claimName: {{ .name }}-pvc {{- end }} - serviceAccountName: workload-identity-sa containers: - name: {{ or .service .scaledObject }} image: {{ if hasSuffix "-" .repository }}{{ .repository }}{{ $osduVersion }}:{{ .tag }}{{ else }}{{ .repository }}:{{ .tag }}{{ end }} diff --git a/docs/src/feature_flags.md b/docs/src/feature_flags.md index b9afe571..c773c815 100644 --- a/docs/src/feature_flags.md +++ b/docs/src/feature_flags.md @@ -37,7 +37,6 @@ Application registrations are created automatically with a naming convention of | Feature Flag | Description | |---------------------------|-----------------------------------------------------------------------------| | AZURE_CLIENT_ID | Use an existing Azure AD App Client ID | -| AZURE_CLIENT_SECRET | Use an existing Azure AD Client Secret and don't reset it. | | AZURE_CLIENT_PRINCIPAL_OID| Skip Principal ID lookup and use provided. | | AZURE_TENANT_ID | Skip Tenant ID lookup and use provided. | @@ -49,7 +48,9 @@ Infrastructure customizations can be modified using the following feature flags. | Feature Flag | Description | |---------------------------|-----------------------------------------------------------------------------| | CLUSTER_INGRESS | Specifies the Ingress type for the cluster (External, Internal, or Both) | -| CLUSTER_VM_SIZE | Overrides the default server type with a custom VM size | +| VMSIZE_SYSTEM_POOL | Overrides the default server for the system pool. (4x8 ARM) | +| VMSIZE_ZONE_POOL | Overrides the default server for the zone pool. (2x8 ARM) | +| VMSIZE_USER_POOL | Overrides the default server for the default pool. (4x8 INTEL) | | ENABLE_NODE_AUTO_PROVISIONING | Enables node auto provisioning (True by default) | | ENABLE_PRIVATE_CLUSTER | Enables private cluster (False by default) | diff --git a/docs/src/getting_started.md b/docs/src/getting_started.md index 913901d4..8d17b026 100644 --- a/docs/src/getting_started.md +++ b/docs/src/getting_started.md @@ -6,19 +6,48 @@ Prerequisites and configuration steps for deploying personal OSDU™ instances i It is recommended to have at least 50 vCPUs in a region for vCPU families along with the ability to deploy Cosmos DB instances which can be resource constrained in some regions. Defaults can be increased by requesting a [quota increase](https://learn.microsoft.com/en-us/azure/quotas/regional-quota-requests). -!!! note "Ensure Sufficient Quota" - The deployment requires quota for the following VM families: +!!! note "Ensure Sufficient Compute Quota per Region" - - Standard_D4pds_v5 nodes for system workloads - - Standard_D2pds_v5 nodes for zonal workloads - - Standard_D4s_v5 nodes for default workloads + | VM Types | Compute Family Series | + |------------------|---------------------------------| + | Standard ARM Generation | Standard Dpdsv6 Family vCPUs | + | Burstable Intel Generation | Standard Bsv2 Family vCPUS | + + Use the following command to validate the availability of servers in a region: + === "Bash" + ```bash + LOCATION="eastus2" # ie: eastus2, centralus + VM_PATTERN="Standard_D" # ie: Standard_D, Standard_B + + az vm list-skus \ + --location "$LOCATION" \ + --query "[?resourceType=='virtualMachines'] \ + | [?contains(locationInfo[0].zones, '1') && contains(locationInfo[0].zones, '2') && contains(locationInfo[0].zones, '3')] \ + | [?restrictions[0]==null] \ + | [?starts_with(name, '$VM_PATTERN')].{ResourceType:resourceType, Locations:locations[0], Name:name, Zones:join(',', locationInfo[0].zones), Restrictions:join('; ', restrictions[*].reasonCode || ['None'])}" \ + -o table + ``` + + === "PowerShell" + ```powershell + $LOCATION="eastus2" # ie: eastus2, centralus + $VM_PATTERN="Standard_D" # ie: Standard_D, Standard_B + + az vm list-skus ` + --location "$LOCATION" ` + --query "[?resourceType=='virtualMachines'] ` + | [?contains(locationInfo[0].zones, '1') && contains(locationInfo[0].zones, '2') && contains(locationInfo[0].zones, '3')] ` + | [?restrictions[0]==null] ` + | [?starts_with(name, '$VM_PATTERN')].{ResourceType:resourceType, Locations:locations[0], Name:name, Zones:join(',', locationInfo[0].zones), Restrictions:join('; ', restrictions[*].reasonCode || ['None'])}" ` + -o table + ``` | Quota Name | Minimum Quantity | |------------|------------------| -| Total Regional vCPUs | 100 | -| Standard DPDSv5 Family vCPUs | 50 | -| Standard DSv5 Family vCPUs | 50 | +| Total Regional vCPUs | 100 | +| Standard Dpdsv6 Family vCPUs | 50 | +| Standard Bsv2 Family vCPUs | 50 | !!! tip "Available Cosmos DB Regions" @@ -126,7 +155,7 @@ These credentials will be used in your ARM template deployment to authenticate a | Name | Description/Value | -|------|-------------| +|------|-------------| | Directory (tenant) ID | Unique identifier for the Microsoft Entra tenant | | Application (client) ID | Unique identifier for the registered application | | Object ID | Unique identifier for the application object in Microsoft Entra | diff --git a/scripts/envrc_template b/scripts/envrc_template index 0775971c..d3caf8c5 100644 --- a/scripts/envrc_template +++ b/scripts/envrc_template @@ -1,5 +1,6 @@ # Common Name Pattern export COMMON_NAME="%COMMON_NAME%" +export REGISTRY="${COMMON_NAME}.azurecr.io/" # Run export AZURE_TENANT_ID="%AZURE_TENANT_ID%" diff --git a/scripts/pre-provision.ps1 b/scripts/pre-provision.ps1 index f2bf2805..39d1aeca 100644 --- a/scripts/pre-provision.ps1 +++ b/scripts/pre-provision.ps1 @@ -224,6 +224,11 @@ function Set-LocalAuth { try { $appConfig = az appconfig list -g $env:AZURE_RESOURCE_GROUP --query '[0].name' -o tsv + if (-not $appConfig) { + Write-Host "No App Configuration found in resource group: $env:AZURE_RESOURCE_GROUP" + return + } + Write-Host "`n==================================================================" Write-Host "Disabling Local Authentication for App Configuration: $appConfig" Write-Host "==================================================================" diff --git a/scripts/settings.ps1 b/scripts/settings.ps1 index 42923f10..422494d1 100644 --- a/scripts/settings.ps1 +++ b/scripts/settings.ps1 @@ -275,7 +275,7 @@ function New-YamlFile { $currentLevel = 0 $nodePath = @($nodeName) $osduGroupNode = $nodeName - + # Create output directory for the new OSDU group node $outputDirectory = "./src/$osduGroupNode".ToLower() New-Item -ItemType Directory -Force -Path $outputDirectory | Out-Null @@ -399,7 +399,7 @@ function New-ServiceEnvFile { $currentLevel = 0 $nodePath = @($nodeName) $osduGroupNode = $nodeName - + $outputDirectory = "./src/$osduGroupNode".ToLower() New-Item -ItemType Directory -Force -Path $outputDirectory | Out-Null @@ -465,7 +465,7 @@ function Get-AppInsights { Write-Host "Downloading Application Insights Agent" Write-Host "==================================================================" - $url = "https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.5.4/applicationinsights-agent-3.5.4.jar" + $url = "https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.6.2/applicationinsights-agent-3.6.2.jar" $outputPath = "./src/applicationinsights-agent.jar" try { diff --git a/scripts/template.yaml b/scripts/template.yaml index 7a4e7018..6d1fcd1d 100644 --- a/scripts/template.yaml +++ b/scripts/template.yaml @@ -245,4 +245,35 @@ CORE: OSDU_AIRFLOW_VERSION2_ENABLED: true DP_AIRFLOW_FOR_SYSTEM_DAG: false IGNORE_DAGCONTENT: true - IGNORE_CUSTOMOPERATORCONTENT: true \ No newline at end of file + IGNORE_CUSTOMOPERATORCONTENT: true + INDEXER-QUEUE: + RUN: + SPRING_APPLICATION_NAME: "indexer-queue" + SERVER_PORT: "8080" + AZURE_SERVICEBUS_TOPIC_NAME: "recordstopic" + AZURE_SERVICEBUS_TOPIC_SUBSCRIPTION: "recordstopicsubscription" + AZURE_REINDEX_TOPIC_NAME: "reindextopic" + AZURE_REINDEX_TOPIC_SUBSCRIPTION: "reindextopicsubscription" + AZURE_SCHEMACHANGED_TOPIC_NAME: "schemachangedtopiceg" + AZURE_SCHEMACHANGED_TOPIC_SUBSCRIPTION: "schemachangedtopicsubscription" + INDEXER_WORKER_URL: "http://indexer/api/indexer/v2/_dps/task-handlers/index-worker" + SCHEMA_WORKER_URL: "http://indexer/api/indexer/v2/_dps/task-handlers/schema-worker" + PARTITION_API: "http://%AUTH_INGRESS%/api/partition/v1" + MAX_CONCURRENT_CALLS: "32" + EXECUTOR_N_THREADS: "32" + MAX_LOCK_RENEW_DURATION_SECONDS: "600" + MAX_DELIVERY_COUNT: "5" + AZURE_PAAS_PODIDENTITY_ISENABLED: "false" + KEYVAULT_URI: "https://%COMMON_NAME%.vault.azure.net" + AAD_CLIENT_ID: "%AZURE_CLIENT_ID%" + AZURE_APP_RESOURCE_ID: "%AZURE_CLIENT_ID%" + AZURE_CLIENT_ID: "%AZURE_CLIENT_ID%" + AZURE_TENANT_ID: "%AZURE_TENANT_ID%" + APPLICATIONINSIGHTS_ROLE_NAME: "indexer-queue" + TEST: + AZURE_AD_TENANT_ID: "%AZURE_TENANT_ID%" + INTEGRATION_TESTER: "%AZURE_CLIENT_ID%" + AZURE_TESTER_SERVICEPRINCIPAL_SECRET: "%AZURE_CLIENT_SECRET%" + AZURE_AD_APP_RESOURCE_ID: "%AZURE_CLIENT_ID%" + INDEXER_QUEUE_BASE_URL: "http://%AUTH_INGRESS%/api/indexer-queue/v1/" + ENVIRONMENT: "CLOUD" \ No newline at end of file diff --git a/software/applications/osdu-core/base.yaml b/software/applications/osdu-core/base.yaml index 0741db96..131d6b36 100644 --- a/software/applications/osdu-core/base.yaml +++ b/software/applications/osdu-core/base.yaml @@ -33,39 +33,39 @@ spec: defaultCpuLimits: "2" defaultMemoryLimits: "4Gi" --- -# apiVersion: helm.toolkit.fluxcd.io/v2beta1 -# kind: HelmRelease -# metadata: -# name: blob-upload -# namespace: default -# annotations: -# clusterconfig.azure.com/use-managed-source: "true" -# spec: -# dependsOn: -# - name: osdu-developer-base-core -# namespace: default -# targetNamespace: osdu-core -# chart: -# spec: -# chart: ./charts/blob-upload -# sourceRef: -# kind: GitRepository -# name: flux-system -# namespace: flux-system -# interval: 5m0s -# install: -# remediation: -# retries: 3 -# valuesFrom: -# - kind: ConfigMap -# name: config-map-values -# valuesKey: values.yaml -# values: -# global: -# configmapNamespace: osdu-core -# blobUpload: -# enabled: true -# items: -# - name: legal -# file: "Legal_COO.json" -# url: "https://raw.githubusercontent.com/Azure/osdu-developer/refs/heads/main/bicep/modules/script-blob-upload/Legal_COO.json" +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: blob-upload + namespace: default + annotations: + clusterconfig.azure.com/use-managed-source: "true" +spec: + dependsOn: + - name: osdu-developer-base-core + namespace: default + targetNamespace: osdu-core + chart: + spec: + chart: ./charts/blob-upload + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + interval: 5m0s + install: + remediation: + retries: 3 + valuesFrom: + - kind: ConfigMap + name: config-map-values + valuesKey: values.yaml + values: + global: + configmapNamespace: osdu-core + blobUpload: + enabled: true + items: + - name: legal + file: "Legal_COO.json" + url: "https://raw.githubusercontent.com/Azure/osdu-developer/refs/heads/main/bicep/modules/deploy-scripts/Legal_COO.json" diff --git a/software/applications/osdu-core/configmap-repo.yaml b/software/applications/osdu-core/configmap-repo.yaml new file mode 100644 index 00000000..2a9a43a0 --- /dev/null +++ b/software/applications/osdu-core/configmap-repo.yaml @@ -0,0 +1,12 @@ +## This file can be used to override the repository for service images. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: configmap-repo-override + namespace: osdu-core +data: + repository.yaml: | + configuration: + - service: service_name + repository: acr_name.azurecr.io/service_name:latest \ No newline at end of file diff --git a/software/applications/osdu-core/entitlements.yaml b/software/applications/osdu-core/entitlements.yaml index 72ae1809..8aba1e1d 100644 --- a/software/applications/osdu-core/entitlements.yaml +++ b/software/applications/osdu-core/entitlements.yaml @@ -27,6 +27,10 @@ spec: - kind: ConfigMap name: configmap-software valuesKey: value.yaml + - kind: ConfigMap + name: configmap-repo-override + optional: true + valuesKey: repository.yaml values: nameOverride: entitlements installationType: osduCore @@ -66,26 +70,10 @@ spec: - "/api/entitlements/v2/api-docs*" - "/api/entitlements/v2/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources - key: keyvault-uri + key: keyvault-uri - name: AAD_CLIENT_ID secret: name: active-directory @@ -100,8 +88,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_SERVLET_CONTEXTPATH value: "/api/entitlements/v2/" - name: SERVER_PORT @@ -125,15 +113,15 @@ spec: - name: PARTITION_SERVICE_ENDPOINT value: "http://partition/api/partition/v1" --- -# Retrigger: kubectl annotate helmrelease osdu-init-entitlements fluxcd.io/retrigger=$(date +%s) -n osdu-core +# Retrigger: kubectl annotate helmrelease osdu-entitlements-init fluxcd.io/retrigger=$(date +%s) -n osdu-core apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: osdu-init-entitlements + name: osdu-entitlements-init namespace: osdu-core annotations: clusterconfig.azure.com/use-managed-source: "true" - fluxcd.io/retrigger: "initial" + fluxcd.io/retrigger: "initial" spec: dependsOn: - name: osdu-entitlements diff --git a/software/applications/osdu-core/file.yaml b/software/applications/osdu-core/file.yaml index 01961dbe..34a020b1 100644 --- a/software/applications/osdu-core/file.yaml +++ b/software/applications/osdu-core/file.yaml @@ -70,22 +70,6 @@ spec: - "/api/file/v2/api-docs*" - "/api/file/v2/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URL secret: name: azure-resources @@ -108,8 +92,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_SERVLET_CONTEXTPATH value: "/api/file/" - name: SERVER_PORT diff --git a/software/applications/osdu-core/indexer.yaml b/software/applications/osdu-core/indexer.yaml index a3c544d7..f3623733 100644 --- a/software/applications/osdu-core/indexer.yaml +++ b/software/applications/osdu-core/indexer.yaml @@ -67,22 +67,6 @@ spec: - '*/_dps/task-handlers' - '*/reindex' env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -101,8 +85,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_PORT value: "80" - name: ACCEPT_HTTP @@ -190,18 +174,6 @@ spec: seconds: 10 keyvault: true env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -220,8 +192,8 @@ spec: key: insights-key - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_PORT value: "80" - name: SPRING_APPLICATION_NAME diff --git a/software/applications/osdu-core/legal.yaml b/software/applications/osdu-core/legal.yaml index 54f72934..ef554df5 100644 --- a/software/applications/osdu-core/legal.yaml +++ b/software/applications/osdu-core/legal.yaml @@ -27,6 +27,10 @@ spec: - kind: ConfigMap name: configmap-software valuesKey: value.yaml + - kind: ConfigMap + name: configmap-repo-override + optional: true + valuesKey: repository.yaml values: nameOverride: legal installationType: osduCore @@ -46,7 +50,7 @@ spec: - istio-system/internal-gateway - istio-system/external-gateway repository: community.opengroup.org:5555/osdu/platform/security-and-compliance/legal/legal- - tag: latest + tag: latest probe: path: /actuator/health port: 8081 @@ -64,24 +68,8 @@ spec: - "/api/legal/v1/info" - "/api/legal/v1/swagger*" - "/api/legal/v1/api-docs*" - - "/api/legal/v1/webjars/*" + - "/api/legal/v1/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -100,8 +88,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_SERVLET_CONTEXTPATH value: "/api/legal/v1/" - name: SERVER_PORT diff --git a/software/applications/osdu-core/namespace.yaml b/software/applications/osdu-core/namespace.yaml index 814ee83c..42b4e963 100644 --- a/software/applications/osdu-core/namespace.yaml +++ b/software/applications/osdu-core/namespace.yaml @@ -5,4 +5,4 @@ metadata: name: osdu-core labels: toolkit.fluxcd.io/tenant: dev-team - istio-injection: enabled + istio-injection: enabled \ No newline at end of file diff --git a/software/applications/osdu-core/partition.yaml b/software/applications/osdu-core/partition.yaml index 95e33554..2e9af5a0 100644 --- a/software/applications/osdu-core/partition.yaml +++ b/software/applications/osdu-core/partition.yaml @@ -27,6 +27,10 @@ spec: - kind: ConfigMap name: configmap-software valuesKey: value.yaml + - kind: ConfigMap + name: configmap-repo-override + optional: true + valuesKey: repository.yaml values: nameOverride: partition installationType: osduCore @@ -65,22 +69,6 @@ spec: - "/api/partition/v1/webjars/*" - "/api/partition/v1/liveness_check*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -99,8 +87,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_SERVLET_CONTEXTPATH value: "/api/partition/v1/" - name: SERVER_PORT @@ -114,11 +102,11 @@ spec: - name: PARTITION_SPRING_LOGGING_LEVEL value: "DEBUG" --- -# Retrigger: kubectl annotate helmrelease osdu-init-partition fluxcd.io/retrigger=$(date +%s) -n osdu-core +# Retrigger: kubectl annotate helmrelease osdu-partition-init fluxcd.io/retrigger=$(date +%s) -n osdu-core apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: osdu-init-partition + name: osdu-partition-init namespace: osdu-core annotations: clusterconfig.azure.com/use-managed-source: "true" @@ -148,17 +136,14 @@ spec: elasticInit: false schemaInit: false partition: opendes - clientSecret: - name: active-directory - key: principal-clientpassword valuesFrom: - kind: ConfigMap name: configmap-software valuesKey: value.yaml - - kind: ConfigMap - name: configmap-services + - kind: Secret + name: active-directory targetPath: clientId - valuesKey: client_id + valuesKey: msi-clientid - kind: ConfigMap name: configmap-services targetPath: tenantId diff --git a/software/applications/osdu-core/schema.yaml b/software/applications/osdu-core/schema.yaml index d46993ca..98578b0f 100644 --- a/software/applications/osdu-core/schema.yaml +++ b/software/applications/osdu-core/schema.yaml @@ -65,22 +65,6 @@ spec: - "/api/schema-service/v1/api-docs*" - "/api/schema-service/v2/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -99,8 +83,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_SERVLET_CONTEXTPATH value: "/api/schema-service/v1/" - name: SERVER_PORT diff --git a/software/applications/osdu-core/search.yaml b/software/applications/osdu-core/search.yaml index ffb69963..864ac275 100644 --- a/software/applications/osdu-core/search.yaml +++ b/software/applications/osdu-core/search.yaml @@ -64,25 +64,9 @@ spec: - "*/configuration/security" - "/api/search/v2/info" - "/api/search/v2/swagger*" - - "/api/search/v2/api-docs*" - - "/api/search/v2/webjars/*" + - "/api/search/v2/api-docs*" + - "/api/search/v2/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -101,8 +85,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_PORT value: "80" - name: ACCEPT_HTTP diff --git a/software/applications/osdu-core/storage.yaml b/software/applications/osdu-core/storage.yaml index 7111362b..f503481f 100644 --- a/software/applications/osdu-core/storage.yaml +++ b/software/applications/osdu-core/storage.yaml @@ -70,24 +70,8 @@ spec: - "/api/storage/v2/info" - "/api/storage/v2/swagger*" - "/api/storage/v2/api-docs*" - - "/api/storage/v2/webjars/*" + - "/api/storage/v2/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -106,8 +90,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_PORT value: "80" - name: ACCEPT_HTTP @@ -121,7 +105,7 @@ spec: - name: AZURE_EVENTGRID_ENABLED value: "false" - name: AZURE_SERVICEBUS_ENABLED - value: "true" + value: "true" - name: SERVICEBUS_TOPIC_NAME value: recordstopic - name: SERVICEBUS_V2_TOPIC_NAME @@ -152,4 +136,3 @@ spec: value: redis-hostname - name: REDIS_PASSWORD_KEY value: redis-password - \ No newline at end of file diff --git a/software/applications/osdu-core/user-init.yaml b/software/applications/osdu-core/user-init.yaml index 6c448de4..d3799b37 100644 --- a/software/applications/osdu-core/user-init.yaml +++ b/software/applications/osdu-core/user-init.yaml @@ -1,15 +1,14 @@ --- -# kubectl create job --namespace osdu-core --from=cronjob/user-init user-init-run-$(date +%s) apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: osdu-init-users + name: osdu-init-user namespace: osdu-core annotations: clusterconfig.azure.com/use-managed-source: "true" spec: dependsOn: - - name: osdu-init-entitlements + - name: osdu-entitlements-init namespace: osdu-core targetNamespace: osdu-core chart: @@ -24,29 +23,48 @@ spec: remediation: retries: 3 values: - installationType: osduCore jobs: - partitionInit: false - entitlementInit: false - userInit: true - elasticInit: false - schemaInit: false - clientSecret: - name: active-directory - key: principal-clientpassword + userInit: true valuesFrom: - kind: ConfigMap name: configmap-software valuesKey: value.yaml - kind: ConfigMap name: configmap-services - targetPath: clientId - valuesKey: client_id + targetPath: emailAddress + valuesKey: first_user_id +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: osdu-init-user-sp + namespace: osdu-core + annotations: + clusterconfig.azure.com/use-managed-source: "true" +spec: + dependsOn: + - name: osdu-entitlements-init + namespace: osdu-core + targetNamespace: osdu-core + chart: + spec: + chart: ./charts/osdu-developer-init + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + interval: 5m0s + install: + remediation: + retries: 3 + values: + jobs: + userInit: true + valuesFrom: - kind: ConfigMap - name: configmap-services - targetPath: tenantId - valuesKey: tenant_id + name: configmap-software + valuesKey: value.yaml - kind: ConfigMap name: configmap-services targetPath: emailAddress - valuesKey: first_user_id \ No newline at end of file + valuesKey: client_id \ No newline at end of file diff --git a/software/applications/osdu-core/workflow.yaml b/software/applications/osdu-core/workflow.yaml index 5eddb537..752c5bd8 100644 --- a/software/applications/osdu-core/workflow.yaml +++ b/software/applications/osdu-core/workflow.yaml @@ -46,7 +46,7 @@ spec: - istio-system/internal-gateway - istio-system/external-gateway repository: community.opengroup.org:5555/osdu/platform/data-flow/ingestion/ingestion-workflow/ingestion-workflow- - tag: latest + tag: latest probe: path: /actuator/health port: 8081 @@ -64,24 +64,8 @@ spec: - "/api/workflow/v3/info" - "/api/workflow/v3/swagger*" - "/api/workflow/v3/api-docs*" - - "/api/workflow/v3/webjars/*" + - "/api/workflow/v3/webjars/*" env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -100,8 +84,8 @@ spec: key: insights-connection - name: AZURE_ISTIOAUTH_ENABLED value: "true" - - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + - name: AZURE_PAAS_WORKLOADIDENTITY_ISENABLED + value: "true" - name: SERVER_SERVLET_CONTEXTPATH value: "/api/workflow/" - name: SERVER_PORT @@ -150,11 +134,11 @@ spec: value: "OBSOLETE" - name: OSDU_AIRFLOW_VERSION2_ENABLED value: true - - name: DP_AIRFLOW_FOR_SYSTEM_DAG + - name: DP_AIRFLOW_FOR_SYSTEM_DAG value: "false" - - name: IGNORE_DAGCONTENT + - name: IGNORE_DAGCONTENT value: "true" - - name: IGNORE_CUSTOMOPERATORCONTENT + - name: IGNORE_CUSTOMOPERATORCONTENT value: "true" --- # Retrigger: kubectl annotate helmrelease osdu-init-workflow fluxcd.io/retrigger=$(date +%s) -n osdu-core @@ -165,7 +149,7 @@ metadata: namespace: osdu-core annotations: clusterconfig.azure.com/use-managed-source: "true" - fluxcd.io/retrigger: "initial" + fluxcd.io/retrigger: "initial" spec: dependsOn: - name: osdu-workflow diff --git a/software/applications/osdu-reference/crs-catalog.yaml b/software/applications/osdu-reference/crs-catalog.yaml index 95c8b0c4..17c6f809 100644 --- a/software/applications/osdu-reference/crs-catalog.yaml +++ b/software/applications/osdu-reference/crs-catalog.yaml @@ -72,22 +72,6 @@ spec: path: /mnt/crs_catalogs subPath: crs env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -107,7 +91,7 @@ spec: - name: AZURE_ISTIOAUTH_ENABLED value: "true" - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + value: "true" - name: SERVER_PORT value: "80" - name: ACCEPT_HTTP diff --git a/software/applications/osdu-reference/crs-conversion.yaml b/software/applications/osdu-reference/crs-conversion.yaml index 5ccb3073..3f413cc6 100644 --- a/software/applications/osdu-reference/crs-conversion.yaml +++ b/software/applications/osdu-reference/crs-conversion.yaml @@ -72,22 +72,6 @@ spec: path: /mnt/crs_conversion subPath: crs-conversion env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -107,7 +91,7 @@ spec: - name: AZURE_ISTIOAUTH_ENABLED value: "true" - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + value: "true" - name: SERVER_PORT value: "80" - name: ACCEPT_HTTP diff --git a/software/applications/osdu-reference/unit.yaml b/software/applications/osdu-reference/unit.yaml index 0f6c8819..00785fce 100644 --- a/software/applications/osdu-reference/unit.yaml +++ b/software/applications/osdu-reference/unit.yaml @@ -72,22 +72,6 @@ spec: path: /mnt/unit_catalogs subPath: unit env: - - name: AZURE_TENANT_ID - secret: - name: active-directory - key: tenant-id - - name: AZURE_SUBSCRIPTION_ID - secret: - name: active-directory - key: subscription-id - - name: AZURE_CLIENT_ID - secret: - name: active-directory - key: principal-clientid - - name: AZURE_CLIENT_SECRET - secret: - name: active-directory - key: principal-clientpassword - name: KEYVAULT_URI secret: name: azure-resources @@ -107,7 +91,7 @@ spec: - name: AZURE_ISTIOAUTH_ENABLED value: "true" - name: AZURE_PAAS_PODIDENTITY_ISENABLED - value: "false" + value: "true" - name: SERVER_PORT value: "80" - name: ACCEPT_HTTP diff --git a/software/components/airflow/release.yaml b/software/components/airflow/release.yaml index 9c9c862d..28d419c4 100644 --- a/software/components/airflow/release.yaml +++ b/software/components/airflow/release.yaml @@ -83,6 +83,9 @@ spec: - "--extra-index-url=https://community.opengroup.org/api/v4/projects/823/packages/pypi/simple" - "osdu-ingestion>=0.27,<1.0.0" kubernetesPodTemplate: + serviceAccountName: workload-identity-sa + annotations: + azure.workload.identity/use: "true" extraPipPackages: # - "apache-airflow-providers-microsoft-azure" - "--extra-index-url=https://community.opengroup.org/api/v4/projects/148/packages/pypi/simple" @@ -118,7 +121,7 @@ spec: AIRFLOW__WEBSERVER__WORKER_CLASS: "sync" # AIRFLOW__WEBSERVER__WORKERS: "8" AIRFLOW__API__AUTH_BACKEND: "airflow.api.auth.backend.basic_auth" - AIRFLOW_VAR_CORE__CONFIG__SHOW_SKIPPED_IDS: "True" + AIRFLOW_VAR_CORE__CONFIG__SHOW_SKIPPED_IDS: "True" # AIRFLOW_VAR_CORE__CONFIG__DATALOAD_CONFIG_PATH: "/opt/airflow/dags/configs/dataload.ini" extraEnv: diff --git a/software/components/airflow/source.yaml b/software/components/airflow/source.yaml index 63507f10..79ff0fc6 100644 --- a/software/components/airflow/source.yaml +++ b/software/components/airflow/source.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: airflow-official @@ -8,7 +8,7 @@ spec: interval: 5m url: https://airflow.apache.org --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: airflow-community diff --git a/software/components/certs/source.yaml b/software/components/certs/source.yaml index ab088d12..f67eb4a9 100644 --- a/software/components/certs/source.yaml +++ b/software/components/certs/source.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cert-manager diff --git a/software/components/osdu-system/cache.yaml b/software/components/osdu-system/cache.yaml index 85e3c33a..d7cebf80 100644 --- a/software/components/osdu-system/cache.yaml +++ b/software/components/osdu-system/cache.yaml @@ -13,7 +13,6 @@ spec: name: root-ca-cluster-issuer kind: ClusterIssuer --- ---- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: @@ -40,7 +39,7 @@ spec: valuesKey: values.yaml values: secrets: - - secretName: keyvault-secrets + - secretName: keyvault-secrets data: - key: redis-password vaultSecret: redis-password diff --git a/software/components/osdu-system/database.yaml b/software/components/osdu-system/database.yaml index aadf54be..3debde4b 100644 --- a/software/components/osdu-system/database.yaml +++ b/software/components/osdu-system/database.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cnpg @@ -18,7 +18,7 @@ spec: releaseName: database-operator chart: spec: - chart: cloudnative-pg + chart: cloudnative-pg sourceRef: kind: HelmRepository name: cnpg diff --git a/software/components/osdu-system/mesh.yaml b/software/components/osdu-system/mesh.yaml index 9cf8e107..1e7d2caf 100644 --- a/software/components/osdu-system/mesh.yaml +++ b/software/components/osdu-system/mesh.yaml @@ -6,7 +6,7 @@ metadata: labels: toolkit.fluxcd.io/tenant: component --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: istio @@ -15,7 +15,7 @@ spec: interval: 10m url: https://istio-release.storage.googleapis.com/charts --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: jetstack @@ -181,7 +181,7 @@ spec: port: 443 protocol: TCP targetPort: 443 - annotations: + annotations: service.beta.kubernetes.io/azure-load-balancer-internal: 'true' --- apiVersion: helm.toolkit.fluxcd.io/v2beta1 @@ -212,7 +212,7 @@ spec: values: service: type: LoadBalancer - annotations: + annotations: service.beta.kubernetes.io/azure-load-balancer-internal: 'false' # service.beta.kubernetes.io/azure-dns-label-name: 'osdu-developer' ports: diff --git a/software/components/osdu-system/reloader.yaml b/software/components/osdu-system/reloader.yaml index 8ef01dfb..b25ee034 100644 --- a/software/components/osdu-system/reloader.yaml +++ b/software/components/osdu-system/reloader.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: stakater diff --git a/src/Dockerfile-java b/src/Dockerfile-java new file mode 100644 index 00000000..a5967b17 --- /dev/null +++ b/src/Dockerfile-java @@ -0,0 +1,81 @@ +# Define default values for ARGs +ARG IFX_AUDIT_PACKAGE=libifxaudit-1.0-1525.x86_64 +ARG AZUL_JDK_PACKAGE="zulu17.48.15-ca-jdk17.0.10-linux_x64" +ARG BASE_IMAGE="mcr.microsoft.com/openjdk/jdk:17-mariner" +ARG EXTRA_JAVA_OPTS="" + +FROM ${BASE_IMAGE} AS builder +ARG EXTRA_FILES +ARG EXTRA_FILES_DEST_DIR="extra-files" +ARG INCLUDE_MODULES_OPT="" +ARG SKIP_TESTS=false +ARG SERVICE_PATH + +WORKDIR /app + +# Install required packages +RUN tdnf update -y && \ + tdnf install -y maven && \ + rm -rf /var/cache/tdnf/* + +# Copy local source code instead of git clone +COPY ${SERVICE_PATH} src/ + +# Maven Build Service +RUN mvn -f src/pom.xml validate ${INCLUDE_MODULES_OPT} --settings src/.mvn/community-maven.settings.xml && \ + if [ "$SKIP_TESTS" = "true" ]; then \ + mvn -f src/pom.xml clean install ${INCLUDE_MODULES_OPT} --settings src/.mvn/community-maven.settings.xml -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn -DskipTests; \ + else \ + mvn -f src/pom.xml clean install ${INCLUDE_MODULES_OPT} --settings src/.mvn/community-maven.settings.xml -B -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn; \ + fi + +RUN find src -type f \( -name '*aks*' -o -name '*Enqueue*' -o -name '*azure*' \) -a -name '*-spring-boot.jar' -exec cp {} app.jar \; +# RUN find src -type f -name 'git.sha' -exec cp {} git.sha \; + +# Copy extra files only if EXTRA_FILES is set, otherwise it would copy src folder with other java artifacts +RUN mkdir -p $EXTRA_FILES_DEST_DIR + +RUN if [ -n "$EXTRA_FILES" ]; then \ + FILE_NAME=$(basename "$EXTRA_FILES") && \ + RELATIVE_PATH=$(dirname "$EXTRA_FILES") && \ + mkdir -p "$EXTRA_FILES_DEST_DIR/$RELATIVE_PATH" && \ + cp -r "src/$EXTRA_FILES" "$EXTRA_FILES_DEST_DIR/$RELATIVE_PATH"; \ + fi + +FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 +ARG AZUL_JDK_PACKAGE +ARG EXTRA_JAVA_OPTS +ARG JAR_FILE +ARG IFX_AUDIT_PACKAGE +ARG EXTRA_FILES +ARG EXTRA_FILES_DEST_DIR="extra-files" +ARG APPLICATIONINSIGHTS_VERSION="3.5.4" + +# Install required packages +RUN tdnf update -y && \ + tdnf install -y curl tar ca-certificates && \ + rm -rf /var/cache/tdnf/* + +# Download Application Insights agent +RUN curl -LO https://github.com/microsoft/ApplicationInsights-Java/releases/download/${APPLICATIONINSIGHTS_VERSION}/applicationinsights-agent-${APPLICATIONINSIGHTS_VERSION}.jar \ + && mv applicationinsights-agent-${APPLICATIONINSIGHTS_VERSION}.jar applicationinsights-agent.jar + +RUN curl -LO https://cdn.azul.com/zulu/bin/${AZUL_JDK_PACKAGE}.tar.gz \ + && mkdir -p /usr/lib/jvm \ + && tar -xf ./${AZUL_JDK_PACKAGE}.tar.gz -C /usr/lib/jvm \ + && rm -f ${AZUL_JDK_PACKAGE}.tar.gz + +RUN curl -LO https://packages.microsoft.com/centos/7/prod/Packages/l/${IFX_AUDIT_PACKAGE}.rpm \ + && tdnf install -y ${IFX_AUDIT_PACKAGE}.rpm \ + && rm -rf ${IFX_AUDIT_PACKAGE}.rpm + +COPY --from=builder /app/app.jar app.jar +COPY --from=builder /app/${EXTRA_FILES_DEST_DIR}/${EXTRA_FILES} ${EXTRA_FILES} +# COPY --from=builder /app/git.sha git.sha + +ENV PATH="/usr/lib/jvm/${AZUL_JDK_PACKAGE}/bin:$PATH" +ENV JAVA_HOME="/usr/lib/jvm/${AZUL_JDK_PACKAGE}" +ENV DEFAULT_JVM_OPTS="-XX:+UseG1GC -XX:InitialRAMPercentage=25.0 -XX:MaxRAMPercentage=50.0 -XX:+HeapDumpOnOutOfMemoryError" +ENV LOGGING_JVM_OPTS="-DAPPINSIGHTS_LOGGING_ENABLED=true -Dlog4j2.formatMsgNoLookups=true -Djna.library.path=/usr/lib -DAZURE_AUDIT_ENABLED=true" +ENV JAVA_OPTS="${DEFAULT_JVM_OPTS} ${LOGGING_JVM_OPTS} ${EXTRA_JAVA_OPTS}" +ENTRYPOINT ["java", "-javaagent:/applicationinsights-agent.jar", "-jar", "/app.jar"] \ No newline at end of file diff --git a/src/docker-bake.hcl b/src/docker-bake.hcl new file mode 100644 index 00000000..40da4077 --- /dev/null +++ b/src/docker-bake.hcl @@ -0,0 +1,166 @@ +# docker buildx bake +# Set to "true" to build for arm64 +variable "BUILD_ARM" { + default = "auto" +} + +function "platforms" { + params = [] + result = equal(BUILD_ARM, "true") ? ["linux/amd64", "linux/arm64"] : ["linux/amd64"] +} + +variable "REGISTRY" {} + +group "default" { + targets = [ + "partition", + "entitlements", + "legal", + "schema", + "storage", + "file", + "indexer", + "indexer-queue", + "search", + "crs-catalog", + "crs-conversion", + "unit" + ] +} + +target "partition" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/partition" + } + platforms = platforms() + tags = ["${REGISTRY}partition"] + output = ["type=image,push=true"] +} + +target "entitlements" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/entitlements" + SKIP_TESTS = "true" + } + platforms = platforms() + tags = ["${REGISTRY}entitlements"] + output = ["type=image,push=true"] +} + +target "legal" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/legal" + } + platforms = platforms() + tags = ["${REGISTRY}legal"] + output = ["type=image,push=true"] +} + +target "schema" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/schema" + } + platforms = platforms() + tags = ["${REGISTRY}schema"] + output = ["type=image,push=true"] +} + +target "storage" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/storage" + } + platforms = platforms() + tags = ["${REGISTRY}storage"] + output = ["type=image,push=true"] +} + +target "file" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/file" + } + platforms = platforms() + tags = ["${REGISTRY}file"] + output = ["type=image,push=true"] +} + +target "indexer" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/indexer" + } + platforms = platforms() + tags = ["${REGISTRY}indexer"] + output = ["type=image,push=true"] +} + +target "indexer-queue" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/indexer-queue" + } + platforms = platforms() + tags = ["${REGISTRY}indexer-queue"] + output = ["type=image,push=true"] +} + +target "search" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/search" + INCLUDE_MODULES_OPT = "-pl search-core,provider/search-azure" + } + platforms = platforms() + tags = ["${REGISTRY}search"] + output = ["type=image,push=true"] +} + +target "crs-catalog" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/crs-catalog" + EXTRA_FILES = "data/crs_catalog_v2.json" + } + platforms = platforms() + tags = ["${REGISTRY}crs-catalog"] + output = ["type=image,push=true"] +} + +target "crs-conversion" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/crs-conversion" + EXTRA_FILES = "apachesis_setup" + } + platforms = platforms() + tags = ["${REGISTRY}crs-conversion"] + output = ["type=image,push=true"] +} + +target "unit" { + context = "." + dockerfile = "Dockerfile-java" + args = { + SERVICE_PATH = "./core/unit" + EXTRA_FILES = "data/unit_catalog_v2.json" + } + platforms = platforms() + tags = ["${REGISTRY}unit"] + output = ["type=image,push=true"] +} \ No newline at end of file diff --git a/tools/rest-scripts/admin.http b/tools/rest-scripts/admin.http index 1d6ab49c..34ad39f5 100644 --- a/tools/rest-scripts/admin.http +++ b/tools/rest-scripts/admin.http @@ -48,13 +48,14 @@ grant_type=client_credentials # @name info GET {{ENTITLEMENTS_HOST}}/info Authorization: Bearer {{access_token}} -# x-payload: Bearer {{access_token}} Accept: application/json +# x-payload: Bearer {{access_token}} # --------------------------------- # Group Name # --------------------------------- +### # This is the identifier for the group you are adding. @group_name = app.trusted @@ -72,7 +73,6 @@ Accept: application/json @group_type_email = {{admins_group_type}}@{{DATA_PARTITION}}.{{domain}} - # ----------------------------------------------------------------------------------------------------------------- # These actions are part of deployment processes. # ----------------------------------------------------------------------------------------------------------------- @@ -162,7 +162,7 @@ Content-Type: application/json # This is the identifier for the user you are adding. # When using AAD, this is the email for the user if adding an AAD user. # When using ADD and a Service principal this is the OID of the Service Principal. -@member_email = daniel.scholl@microsoft.com +@member_email = # ----------------------- diff --git a/tools/rest-scripts/schema.http b/tools/rest-scripts/schema.http index 5e0fabf0..d4accfb6 100644 --- a/tools/rest-scripts/schema.http +++ b/tools/rest-scripts/schema.http @@ -138,6 +138,7 @@ Accept: application/json data-partition-id: {{DATA_PARTITION}} +### This call can't be done by a default user. ### # @name createSystemSchema PUT {{SCHEMA_HOST}}/schemas/system diff --git a/tools/rest-scripts/storage.http b/tools/rest-scripts/storage.http index 84a80184..6d102744 100644 --- a/tools/rest-scripts/storage.http +++ b/tools/rest-scripts/storage.http @@ -141,12 +141,11 @@ data-partition-id: {{DATA_PARTITION}} ### # @name getRecord -GET {{STORAGE_HOST}}/records/{{id}} +GET {{STORAGE_HOST}}/records/{{createRecord.response.body.recordIds[0]}} Authorization: Bearer {{access_token}} Accept: application/json data-partition-id: {{DATA_PARTITION}} -@recordversion = {{getRecord.response.body.version}} ### # @name getRecordIdByKind @@ -155,11 +154,10 @@ Authorization: Bearer {{access_token}} Accept: application/json data-partition-id: {{DATA_PARTITION}} -@id = {{getRecordIdByKind.response.body.results[0]}} ### # @name getRecordByVersion -GET {{STORAGE_HOST}}/records/{{id}}/{{recordversion}} +GET {{STORAGE_HOST}}/records/{{id}}/{{getRecord.response.body.version}} Authorization: Bearer {{access_token}} Accept: application/json data-partition-id: {{DATA_PARTITION}}