* Add missing RP-Config param to RP deploy ARM template
* Plumb msiRpEndpoint ARM parameter through to RP environment variable
* Regenerate RP ARM template
* Remove duplicated MSI_RP_ENDPOINT envvar in RP env
* Add env var to aro-rp.service startup
* Regenerate RP ARM template
---------
Co-authored-by: Tanmay Satam <tsatam@redhat.com>
* Add a parameter for enabling Entra ID RBAC on key vaults
* Add an RP-level feature flag for determining whether to use the mock MSI RP
* Tweak the mock identity URL to play nicely with the mock MSI RP
* Add Azure SDK client wrappers for new clients (federated identity credentials control plane and key vault data plane)
* Vendor in new Azure SDK clients and update msi-dataplane
* Lay groundwork for use of cluster MSI...
- Initialize the MSI dataplane client, using the mock MSI RP/stub if
appropriate
- Initialize key vault store client (for MSI certificates; functionality
is implemented in MSI dataplane module)
- Create a cluster MSI certificate and store it in the key vault during
cluster bootstrap
- Instantiate an Azure SDK FederatedIdentityCredential client using the
cluster MSI certificate
- Delete the cluster MSI certificate as needed during cluster deletion
* Don't fail during cluster deletion if the cluster MSI certificate is
already gone from the key vault (or was potentially never created)
* Establish an RP-Config variable for the MSI RP endpoint
- Update doc comment for ensureClusterMsiCertificate
- Simplify conditional logic in MSI cert deletion
* Use pointer conversion functions that aren't deprecated
* Respond to PR comments (and fix some other things along the way)
- Move `clusterMsiResourceId` function to `OpenShiftCluster` type
- When persisting the MSI cert to KV, use the `NotAfter` returned by the MSI RP (for the stub, just use an arbitrary value)
- Move `getClientOptions` functionality to `AROEnvironment` type
- Move logic for determining cluster MSI key vault name to `pkg/env`
- Pull cloud name mapping stuff out to `AROEnvironment` type
- Update msi-dataplane module to include new changes and use `UserAssignedIdentities` type to get Azure credential in `pkg/cluster/clustermsi.go`
- Fix typo in https URL in comment in `pkg/cluster/delete.go`
- Implement suggestion to use `errors.As` instead of a type assertion in `pkg/cluster/delete.go`
* Update documentation with info about new feature flag
- Move new cluster MSI steps forward in bootstrap step order
- Move MSI dataplane client options stuff to pkg/env
- Explicitly check for a single cluster MSI in `ClusterMsiResourceId`
- Other small tweaks
* Vendor in msi-dataplane update that prevents a potential nil pointer dereference
* Add missing method to internal key vault client
* Make error messages more specific in ClusterMsiResourceId
* Add missing env vars to run-rp make target and uncomment dynamic validation bootstrap step
- In newly added Azure clients, return struct types instead of interface
types
- Move cluster MSI certificate deletion to be after Azure resource
deletion for safety just in case cx continues to use cluster that is
in Failed/Deleting provisioning state
* Add new env vars for MIWI to env.example for clarity/completeness
* Turn check for nonzero number of user assigned identities into a utility function
* Use existing constant for key vault dns suffix
* Remove dnf update cron job
Automatic OS Updates are configured. Updating packages via a cron job is no longer required.
* Remove certs arg from verify_role, Add/Remove comments
Certificate generation has been broken up into a named function for each VMSS role. This means it's no longer necessary to provide the certs=true argumenet when checking VMSS roles.
Add a comment for why AZURE_CLOUD_NAME returns an error if unset.
Remove az cli login comment from pull_container_images, it is no longer relevant after the last refactor.
* Update RP and Gateway vmss OS image to cbl-mariner-2-gen2 with Manually Configured FIPS Mode
System Changes:
Remove lvm disk resize, Mariner does not use lvm, the disk is automatically grown to the full size specified.
Remove semanage, Mariner Linux does not have selinux configured.
Remove gateway log rotation config
Log rotation for the podman level driver log was not the correct
approach. The podman log driver is now journald, so all logs will be
shipped to journald rather than a ctr.log file.
fips mode is manually configured following the example code at https://eng.ms/docs/products/azure-linux/features/security/fips
SKU cbl-mariner-2-gen2-fips does not support Automatic OS Updates, therefore we are switching to cbl-mariner-2-gen2, manually configuring fips mode, to allow for Automatic OS Updates.
Script Changes:
Restructure VMSS bootstrap bash scripts for increased reliability, and easier debugging
Move all shared code into a commonly shared file to be sourced by all
bootstrapping scripts. This allows for code reuse, minimal duplication.
Fix mdm mdsd certificate download script
During mdm and mdsd setup, I've added wait steps for the download
scripts to complete getting certificates. Without this, the download
scripts run in a subshell and fixing up the certificates fails.
Add firewalld configuration, required for podman networking
Add podman aro network creation to isolate RP containers from possible
interaction on the default podman network.
Package Changes:
Install Azure Security Monitor via VMSS Extension
Remove RHUI and Microsoft repo configuration, add Mariner Extended repo config
Increase rpm retry time to 30 minutes total, every 30 seconds.
* Embed scripts as strings rather than []byte
This is to reduce the amount of type conversions needed.
* Fetch USER env var once
Fetch the USER env var once instead of multiple times for faster DevConfig func execution time
* Set Azure unique prefix and USER as optional
Use an Azure unique prefix for the Azure resources that ARO-RP is using instead of always fetching the USER. When AZURE_UNIQUE_PREFIX env var is not set, then use the USER env var
* Modify more USER references
Rename AZURE_UNIQUE_PREFIX to AZURE_PREFIX, and export the usage of this env var for Azure prefix name resources when it is set. When it is missing use the default USER env var, as before
Amber Brown
Ben Vesel
Kipp Morris
Anshul Verma
Hilliary Lipsig
kimorris27
Ankur Singh
Jory Horeman
Steven Fairchild
Tony Schneider
Brendan Bergen
Or Raz
Steven Fairchild
Rajdeep Chauhan
Maitiú Ó Ciaráin
Aldo Fuster Turpin
Nont
Tanmay Satam