diff --git a/bicep/main.bicep b/bicep/main.bicep index 8dd5180e..ea8057fa 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -32,15 +32,6 @@ param ingressType string = 'External' @description('Feature Flag: Enable Storage accounts public access.') param enableBlobPublicAccess bool = false -@description('Feature Flag: Enable AKS Enhanced Subnet Support (Azure CNI)') -param enablePodSubnet bool = false - -@description('Optional: Cluster Configuration Overrides') -param clusterConfiguration object = { - enablePrivateCluster: '' - enableNodeAutoProvisioning: '' -} - @description('(Optional) Software Load Override - {enable/osduCore/osduReference} --> true/false, {repository} --> https://github.com/azure/osdu-devloper {branch} --> branch:main') param clusterSoftware object = { enable: true @@ -58,6 +49,12 @@ param experimentalSoftware object = { adminUI: false } +@description('Optional: Cluster Configuration Overrides') +param clusterConfiguration object = { + enableNodeAutoProvisioning: true + enablePrivateCluster: false +} + @description('Optional. Bring your own Virtual Network.') param vnetConfiguration object = { group: '' @@ -82,14 +79,6 @@ param vnetConfiguration object = { } } -// This would be a type but bugs exist for ARM Templates so is object instead. -@description('Cluster Network Overrides - {ingress} (Both/Internal/External), {serviceCidr}, {dnsServiceIP}') -param clusterNetwork object = { - ingress: '' - serviceCidr: '' - dnsServiceIP: '' -} - ///////////////////////////////// // Configuration ///////////////////////////////// @@ -211,7 +200,7 @@ module networkBlade 'modules/blade_network.bicep' = if (enableVnetInjection) { workspaceResourceId: logAnalytics.outputs.resourceId identityId: stampIdentity.outputs.principalId - enablePodSubnet: enablePodSubnet + enablePodSubnet: vnetConfiguration.podSubnet.name != '' && vnetConfiguration.podSubnet.prefix != '' ? true: false enableVnetInjection: enableVnetInjection vnetConfiguration: { @@ -340,14 +329,13 @@ module serviceBlade 'modules/blade_service.bicep' = { location: location enableTelemetry: enableTelemetry + enableNodeAutoProvisioning: clusterConfiguration.enableNodeAutoProvisioning == 'false' ? false : true + enablePrivateCluster: clusterConfiguration.enablePrivateCluster == 'false' ? false : true + osduVersion: clusterSoftware.osduVersion == '' ? 'master' : clusterSoftware.osduVersion enableSoftwareLoad: clusterSoftware.enable == 'false' ? false : true enableOsduCore: clusterSoftware.osduCore == 'false' ? false : true enableOsdureference: clusterSoftware.osduReference == 'false' ? false : true - - enableNodeAutoProvisioning: clusterConfiguration.enableNodeAutoProvisioning == 'false' ? false : true - enablePrivateCluster: clusterConfiguration.enablePrivateCluster == 'true' ? true : false - enableExperimental: experimentalSoftware.enable == 'true' ? true : false enableAdminUI: experimentalSoftware.adminUI == 'true' ? true : false @@ -364,12 +352,10 @@ module serviceBlade 'modules/blade_service.bicep' = { partitionServiceBusNames: partitionBlade.outputs.partitionServiceBusNames aksSubnetId: enableVnetInjection ? networkBlade.outputs.aksSubnetId : '' - podSubnetId: enableVnetInjection && enablePodSubnet ? networkBlade.outputs.podSubnetId : '' + podSubnetId: enableVnetInjection ? networkBlade.outputs.podSubnetId : '' vmSize: customVMSize clusterIngress: ingressType == '' ? 'External' : ingressType - serviceCidr: clusterNetwork.serviceCidr == '' ? '172.16.0.0/16' : clusterNetwork.serviceCidr - dnsServiceIP: clusterNetwork.dnsServiceIP == '' ? '172.16.0.10' : clusterNetwork.vnet softwareBranch: clusterSoftware.branch softwareRepository: clusterSoftware.repository diff --git a/bicep/modules/blade_service.bicep b/bicep/modules/blade_service.bicep index 1096a51d..a8989c7c 100644 --- a/bicep/modules/blade_service.bicep +++ b/bicep/modules/blade_service.bicep @@ -84,13 +84,13 @@ param osduVersion string = 'master' @minLength(9) @maxLength(18) @description('The address range to use for services') -param serviceCidr string +param serviceCidr string = '172.16.0.0/16' @minLength(7) @maxLength(15) @description('The IP address to reserve for DNS') -param dnsServiceIP string +param dnsServiceIP string = '172.16.0.10' @description('The id of the subnet to deploy the AKS nodes') param aksSubnetId string diff --git a/docs/src/design_platform.md b/docs/src/design_platform.md index 9e3caa4a..35eb5181 100644 --- a/docs/src/design_platform.md +++ b/docs/src/design_platform.md @@ -63,6 +63,14 @@ This solution implements comprehensive best practices across security controls a --- + - [x] [API VNet Integration](https://learn.microsoft.com/en-us/azure/aks/api-server-vnet-integration) + + Kubernetes API server projection into the VNET where AKS is deployed. + + - [x] [Private Cluster](https://learn.microsoft.com/en-us/azure/aks/private-clusters?tabs=default-basic-networking%2Cazure-portal) + + Enable private cluster mode providing public network access without exposure of the AKS API server to the internet. + - [x] [CNI Overlay](https://learn.microsoft.com/en-us/azure/aks/azure-cni-overlay) Enhanced network security with overlay networking, providing logical separation between pod and node networks. diff --git a/docs/src/feature_flags.md b/docs/src/feature_flags.md index 3c30dd74..365add3c 100644 --- a/docs/src/feature_flags.md +++ b/docs/src/feature_flags.md @@ -51,6 +51,8 @@ Infrastructure customizations can be modified using the following feature flags. | CLUSTER_INGRESS | Specifies the Ingress type for the cluster (External, Internal, or Both) | | CLUSTER_VM_SIZE | Overrides the default server type with a custom VM size | | ENABLE_BLOB_PUBLIC_ACCESS | Enables public access for storage account blob (False by default) | +| ENABLE_NODE_AUTO_PROVISIONING | Enables node auto provisioning (True by default) | +| ENABLE_PRIVATE_CLUSTER | Enables private cluster (False by default) | ## Custom Software