* This is the new CI-RP stage for the pipline (#3753)
* Ensure Podman Service is Started and PODMAN_REMOTE_ARGS is Configured Automatically
Ensure Podman Service is Started and PODMAN_REMOTE_ARGS is Configured Automatically
Ensure Podman Service is Started and PODMAN_REMOTE_ARGS is Configured Automatically
removed the tag
Add Podman service start and remote args setup for seamless operation
Add sudo to start Podman service for elevated permissions and fix permission errors
Add sudo to start Podman service for elevated permissions and fix permission errors
Refactor Makefile: Update Podman service handling with sudo and remove default PODMAN_REMOTE_ARGS to improve flexibility and ensure proper permissions.
Add sudo to start Podman service for elevated permissions and fix permission errors
* Added Podman service target and set PODMAN_REMOTE_ARGS for seamless builds.
* fix the makefile
* added the port to fix the Makefile
* Update RP and Gateway vmss OS image to cbl-mariner-2-gen2 with Manually Configured FIPS Mode
System Changes:
Remove lvm disk resize, Mariner does not use lvm, the disk is automatically grown to the full size specified.
Remove semanage, Mariner Linux does not have selinux configured.
Remove gateway log rotation config
Log rotation for the podman level driver log was not the correct
approach. The podman log driver is now journald, so all logs will be
shipped to journald rather than a ctr.log file.
fips mode is manually configured following the example code at https://eng.ms/docs/products/azure-linux/features/security/fips
SKU cbl-mariner-2-gen2-fips does not support Automatic OS Updates, therefore we are switching to cbl-mariner-2-gen2, manually configuring fips mode, to allow for Automatic OS Updates.
Script Changes:
Restructure VMSS bootstrap bash scripts for increased reliability, and easier debugging
Move all shared code into a commonly shared file to be sourced by all
bootstrapping scripts. This allows for code reuse, minimal duplication.
Fix mdm mdsd certificate download script
During mdm and mdsd setup, I've added wait steps for the download
scripts to complete getting certificates. Without this, the download
scripts run in a subshell and fixing up the certificates fails.
Add firewalld configuration, required for podman networking
Add podman aro network creation to isolate RP containers from possible
interaction on the default podman network.
Package Changes:
Install Azure Security Monitor via VMSS Extension
Remove RHUI and Microsoft repo configuration, add Mariner Extended repo config
Increase rpm retry time to 30 minutes total, every 30 seconds.
* Embed scripts as strings rather than []byte
This is to reduce the amount of type conversions needed.
- Allows true use of NO_CACHE by using LABELs and podman tag commands instead of --cache-from
- Standardizes formatting of image names and variables
- Standardizes use of VERSION for image tags
- Standardizes formatting of podman commands and parameter ordering
* Add unit tests for existing frontend version validation
* Use semver package to validate versions in frontend instead of regex
This allows the ability to provide prerelease versions or version strings
containing metadata.
* Ensure disableUpdates does not propagate metadata in version string to clusterversion resource
* Exclude platform identities from permissions denial
Add platform workload identities to the list of service principals
excluded from the permissions denial so that those identities can manage
Azure resources in the cluster's resource group
* improve testing of deny assignment generation
this confirms that ExcludePrincipals are generated correctly for the
deny assignment based on the presence of a ServicePrincipalProfile or a
PlatformWorkloadIdentityProfile
* use UsesWorkloadIdentity() helper function instead of bespoke check
* check empty ObjectID/SPObjectID values separately
* prevent nil pointer dereference for missing ServicePrincipalProfile
Runlocal-RP is Containerized
- Modified Makefile to execute a local `podman run` for the RP on 127.0.0.1
- Local RPs now by default interact with Hive due to MacOS limitations
- Updated RP dev config to serve on all IPs due to MacOS limitations
- Doc updates
* Add --assign-platform-wi flag to az aro update
* Fix nil pointer dereference when converting Identity structs on API
* Restructure update command to make branching logic more clear
* Remove duplicate test
* Disallow passing in duplicate platform workload identities within the same create/update invocation
* Ensure reported duplicate platform_workload_identities list doesn't itself contain duplicates
* Fetch USER env var once
Fetch the USER env var once instead of multiple times for faster DevConfig func execution time
* Set Azure unique prefix and USER as optional
Use an Azure unique prefix for the Azure resources that ARO-RP is using instead of always fetching the USER. When AZURE_UNIQUE_PREFIX env var is not set, then use the USER env var
* Modify more USER references
Rename AZURE_UNIQUE_PREFIX to AZURE_PREFIX, and export the usage of this env var for Azure prefix name resources when it is set. When it is missing use the default USER env var, as before
Nont
Petr Kotas
Ayato Tokubi
Shubhadapaithankar
Maitiú Ó Ciaráin
Alex Chvatal
Alex Chvatal
dependabot[bot]
Lisa Rashidi-Ranjbar
Tanmay Satam
Steven Fairchild
Brendan Bergen
Nicolas Ontiveros
oraz
Amber Brown
Amit Arora