Add dynamic service keyvault access policy for the AKS agentpool MSI (#2509)

2022-11-09 09:44:00 +10:00 · 2022-11-09 09:44:00 +10:00 · 143c8186a8
--- a/pkg/deploy/assets/rp-development-predeploy.json
+++ b/pkg/deploy/assets/rp-development-predeploy.json
@ -311,6 +311,30 @@
                "enableSoftDelete": true
            },
            "apiVersion": "2019-09-01"
+        },
+        {
+            "name": "[concat(parameters('keyvaultPrefix'), '-svc/add')]",
+            "type": "Microsoft.KeyVault/vaults/accessPolicies",
+            "properties": {
+                "accessPolicies": [
+                    {
+                        "tenantId": "[subscription().tenantId]",
+                        "objectId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', 'aro-aks-cluster-001'), '2020-12-01', 'Full').properties.identityProfile.kubeletidentity.objectId]",
+                        "permissions": {
+                            "secrets": [
+                                "get"
+                            ],
+                            "certificates": [
+                                "get"
+                            ]
+                        }
+                    }
+                ]
+            },
+            "apiVersion": "2021-10-01",
+            "dependsOn": [
+                "[concat(parameters('keyvaultPrefix'), '-svc')]"
+            ]
        }
    ]
 }
--- a/pkg/deploy/assets/rp-production-predeploy.json
+++ b/pkg/deploy/assets/rp-production-predeploy.json
@ -318,6 +318,30 @@
                "enableSoftDelete": true
            },
            "apiVersion": "2019-09-01"
+        },
+        {
+            "name": "[concat(parameters('keyvaultPrefix'), '-svc/add')]",
+            "type": "Microsoft.KeyVault/vaults/accessPolicies",
+            "properties": {
+                "accessPolicies": [
+                    {
+                        "tenantId": "[subscription().tenantId]",
+                        "objectId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', 'aro-aks-cluster-001'), '2020-12-01', 'Full').properties.identityProfile.kubeletidentity.objectId]",
+                        "permissions": {
+                            "secrets": [
+                                "get"
+                            ],
+                            "certificates": [
+                                "get"
+                            ]
+                        }
+                    }
+                ]
+            },
+            "apiVersion": "2021-10-01",
+            "dependsOn": [
+                "[concat(parameters('keyvaultPrefix'), '-svc')]"
+            ]
        }
    ]
 }
--- a/pkg/deploy/generator/resources_rp.go
+++ b/pkg/deploy/generator/resources_rp.go
@ -859,6 +859,35 @@ func (g *generator) rpPortalKeyvault() *arm.Resource {
 	}
 }

+func (g *generator) rpServiceKeyvaultDynamic() *arm.Resource {
+	vaultAccessPolicies := &mgmtkeyvault.Vault{
+		Properties: &mgmtkeyvault.VaultProperties{
+			AccessPolicies: &[]mgmtkeyvault.AccessPolicyEntry{
+				{
+					TenantID: &tenantUUIDHack,
+					ObjectID: to.StringPtr("[reference(resourceId('Microsoft.ContainerService/managedClusters', 'aro-aks-cluster-001'), '2020-12-01', 'Full').properties.identityProfile.kubeletidentity.objectId]"),
+					Permissions: &mgmtkeyvault.Permissions{
+						Secrets: &[]mgmtkeyvault.SecretPermissions{
+							mgmtkeyvault.SecretPermissionsGet,
+						},
+						Certificates: &[]mgmtkeyvault.CertificatePermissions{
+							mgmtkeyvault.Get,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	return &arm.Resource{
+		Name:       "[concat(parameters('keyvaultPrefix'), '" + env.ServiceKeyvaultSuffix + "/add')]",
+		Type:       "Microsoft.KeyVault/vaults/accessPolicies",
+		APIVersion: azureclient.APIVersion("Microsoft.KeyVault/vaults/accessPolicies"),
+		DependsOn:  []string{"[concat(parameters('keyvaultPrefix'), '" + env.ServiceKeyvaultSuffix + "')]"},
+		Resource:   vaultAccessPolicies,
+	}
+}
+
 func (g *generator) rpServiceKeyvault() *arm.Resource {
 	vault := &mgmtkeyvault.Vault{
 		Properties: &mgmtkeyvault.VaultProperties{
--- a/pkg/deploy/generator/templates_rp.go
+++ b/pkg/deploy/generator/templates_rp.go
@ -312,6 +312,7 @@ func (g *generator) rpPredeployTemplate() *arm.Template {
 		g.rpDBTokenKeyvault(),
 		g.rpPortalKeyvault(),
 		g.rpServiceKeyvault(),
+		g.rpServiceKeyvaultDynamic(),
 	)

 	return t
--- a/pkg/util/azureclient/apiversions.go
+++ b/pkg/util/azureclient/apiversions.go
@ -9,22 +9,23 @@ import (

 // keys must be lower case
 var apiVersions = map[string]string{
-	"microsoft.authorization":                 "2018-09-01-preview",
-	"microsoft.authorization/denyassignments": "2018-07-01-preview",
-	"microsoft.authorization/roledefinitions": "2018-01-01-preview",
-	"microsoft.compute":                       "2020-12-01",
-	"microsoft.compute/disks":                 "2019-03-01",
-	"microsoft.compute/snapshots":             "2020-05-01",
-	"microsoft.compute/diskencryptionsets":    "2021-04-01",
-	"microsoft.containerregistry":             "2020-11-01-preview",
-	"microsoft.documentdb":                    "2021-01-15",
-	"microsoft.insights":                      "2018-03-01",
-	"microsoft.keyvault":                      "2019-09-01",
-	"microsoft.managedidentity":               "2018-11-30",
-	"microsoft.network":                       "2020-08-01",
-	"microsoft.network/dnszones":              "2018-05-01",
-	"microsoft.network/privatednszones":       "2018-09-01",
-	"microsoft.storage":                       "2019-04-01",
+	"microsoft.authorization":                  "2018-09-01-preview",
+	"microsoft.authorization/denyassignments":  "2018-07-01-preview",
+	"microsoft.authorization/roledefinitions":  "2018-01-01-preview",
+	"microsoft.compute":                        "2020-12-01",
+	"microsoft.compute/disks":                  "2019-03-01",
+	"microsoft.compute/snapshots":              "2020-05-01",
+	"microsoft.compute/diskencryptionsets":     "2021-04-01",
+	"microsoft.containerregistry":              "2020-11-01-preview",
+	"microsoft.documentdb":                     "2021-01-15",
+	"microsoft.insights":                       "2018-03-01",
+	"microsoft.keyvault":                       "2019-09-01",
+	"microsoft.keyvault/vaults/accesspolicies": "2021-10-01",
+	"microsoft.managedidentity":                "2018-11-30",
+	"microsoft.network":                        "2020-08-01",
+	"microsoft.network/dnszones":               "2018-05-01",
+	"microsoft.network/privatednszones":        "2018-09-01",
+	"microsoft.storage":                        "2019-04-01",
 }

 // APIVersion gets the APIVersion from a full resource type