From 9d843add2f5b8e1742f4d4138fa933acb2aed4f1 Mon Sep 17 00:00:00 2001 From: Hieu Nguyen Nhu <5441003+hieumoscow@users.noreply.github.com> Date: Wed, 23 Jun 2021 14:26:05 +0800 Subject: [PATCH] Delete Kured & add var image, purge in pipelines --- .../workflows/deploy-secure-aks-baseline.yaml | 53 ++++++--- .../kured-1.4.0-dockerhub.yaml | 109 ------------------ .../scripts/deploy_level_with_rover.sh | 3 +- .../landingzone/scripts/launchpad.sh | 1 + 4 files changed, 43 insertions(+), 123 deletions(-) delete mode 100644 enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/kured-1.4.0-dockerhub.yaml diff --git a/.github/workflows/deploy-secure-aks-baseline.yaml b/.github/workflows/deploy-secure-aks-baseline.yaml index 568dbe5..d3d410b 100644 --- a/.github/workflows/deploy-secure-aks-baseline.yaml +++ b/.github/workflows/deploy-secure-aks-baseline.yaml @@ -21,12 +21,13 @@ env: ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} ARM_PARTNER_ID: "f85b2775-ec1d-4fef-949e-bbd6957082af" ENVIRONMENT: ${{ github.run_id }} + image: aztfmod/rover-preview:0.15.3-2105.210707 jobs: deploy-launchpad: runs-on: ubuntu-latest container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 outputs: prefix: ${{ steps.test.outputs.PREFIX }} @@ -70,7 +71,7 @@ jobs: runs-on: ubuntu-latest needs: deploy-launchpad container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 outputs: prefix: ${{ steps.test.outputs.PREFIX }} @@ -110,7 +111,7 @@ jobs: runs-on: ubuntu-latest needs: deploy-launchpad container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -144,7 +145,7 @@ jobs: runs-on: ubuntu-latest needs: deploy-networking-hub container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -178,7 +179,7 @@ jobs: runs-on: ubuntu-latest needs: [deploy-networking-hub, deploy-networking-spoke, deploy-shared-services] container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 outputs: prefix: ${{ steps.test.outputs.PREFIX }} @@ -218,7 +219,7 @@ jobs: runs-on: ubuntu-latest needs: deploy-aks container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -266,7 +267,7 @@ jobs: runs-on: ubuntu-latest needs: deploy-addons container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -296,7 +297,7 @@ jobs: runs-on: ubuntu-latest needs: [destroy-addons] container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -325,7 +326,7 @@ jobs: runs-on: ubuntu-latest needs: destroy-aks container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -355,7 +356,7 @@ jobs: runs-on: ubuntu-latest needs: destroy-aks container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -385,7 +386,7 @@ jobs: runs-on: ubuntu-latest needs: destroy-networking-spoke container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -415,7 +416,7 @@ jobs: runs-on: ubuntu-latest needs: [destroy-networking-hub, destroy-shared-services] container: - image: aztfmod/rover-preview:0.15.3-2105.210707 + image: $(image) options: --user 0 steps: - name: Checkout Repository @@ -439,4 +440,30 @@ jobs: /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh env: ACTION: "destroy -auto-approve" - \ No newline at end of file + + purge: + name: purge + runs-on: ubuntu-latest + if: ${{ failure() || cancelled() }} + + needs: [deploy-launchpad, deploy-shared-services, deploy-networking-hub, deploy-networking-spoke,deploy-aks, deploy-addons, destroy-addons, destroy-aks, destroy-networking-spoke, destroy-networking-hub, destroy-shared-services, destroy-launchpad] + + container: + image: aztfmod/rover:0.15.4-2105.2603 + options: --user 0 + + steps: + - name: Login azure + run: | + az login --service-principal -u '${{ env.ARM_CLIENT_ID }}' -p '${{ env.ARM_CLIENT_SECRET }}' --tenant '${{ env.ARM_TENANT_ID }}' + az account set -s ${{ env.ARM_SUBSCRIPTION_ID }} + - name: Complete purge + run: | + for i in `az monitor diagnostic-settings subscription list -o tsv --query "value[?contains(name, '${{ github.run_id }}' )].name"`; do echo "purging subscription diagnostic-settings: $i" && $(az monitor diagnostic-settings subscription delete --name $i --yes); done + for i in `az monitor log-profiles list -o tsv --query '[].name'`; do az monitor log-profiles delete --name $i; done + for i in `az ad group list --query "[?contains(displayName, '${{ github.run_id }}')].objectId" -o tsv`; do echo "purging Azure AD group: $i" && $(az ad group delete --verbose --group $i || true); done + for i in `az ad app list --query "[?contains(displayName, '${{ github.run_id }}')].appId" -o tsv`; do echo "purging Azure AD app: $i" && $(az ad app delete --verbose --id $i || true); done + for i in `az keyvault list-deleted --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do az keyvault purge --name $i; done + for i in `az group list --query "[?tags.testing_job_id=='${{ github.run_id }}'].name" -o tsv`; do echo "purging resource group: $i" && $(az group delete -n $i -y --no-wait || true); done + for i in `az role assignment list --query "[?contains(roleDefinitionName, '${{ github.run_id }}')].roleDefinitionName" -o tsv`; do echo "purging role assignment: $i" && $(az role assignment delete --role $i || true); done + for i in `az role definition list --query "[?contains(roleName, '${{ github.run_id }}')].roleName" -o tsv`; do echo "purging custom role definition: $i" && $(az role definition delete --name $i || true); done \ No newline at end of file diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/kured-1.4.0-dockerhub.yaml b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/kured-1.4.0-dockerhub.yaml deleted file mode 100644 index a0f855d..0000000 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/cluster-baseline-settings/kured-1.4.0-dockerhub.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# https://github.com/weaveworks/kured/releases/download/1.4.0/kured-1.4.0-dockerhub.yaml ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: kured -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "patch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["list", "delete", "get"] - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get"] - - apiGroups: [""] - resources: ["pods/eviction"] - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kured -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: kured -subjects: - - kind: ServiceAccount - name: kured - namespace: cluster-baseline-settings ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: cluster-baseline-settings - name: kured -rules: - - apiGroups: ["apps"] - resources: ["daemonsets"] - resourceNames: ["kured"] - verbs: ["update"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - namespace: cluster-baseline-settings - name: kured -subjects: - - kind: ServiceAccount - namespace: cluster-baseline-settings - name: kured -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: kured ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: kured - namespace: cluster-baseline-settings ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - name: kured - namespace: cluster-baseline-settings -spec: - selector: - matchLabels: - name: kured - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - name: kured - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8080" - spec: - serviceAccountName: kured - tolerations: - - key: node-role.kubernetes.io/master - effect: NoSchedule - hostPID: true - restartPolicy: Always - containers: - - name: kured - # PRODUCTION READINESS CHANGE REQUIRED - # This image should be sourced from a non-public container registry, such as the - # one deployed along side of this reference implementation. - # az acr import --source docker.io/weaveworks/kured:1.4.0 -n - # and then set this to - # image: .azurecr.io/weaveworks/kured:1.4.0 - image: docker.io/weaveworks/kured:1.4.0 - imagePullPolicy: IfNotPresent - securityContext: - privileged: true - env: - - name: KURED_NODE_ID - valueFrom: - fieldRef: - fieldPath: spec.nodeName - command: - - /usr/bin/kured - - --ds-namespace=cluster-baseline-settings diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/deploy_level_with_rover.sh b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/deploy_level_with_rover.sh index fbb4c7f..e855ead 100755 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/deploy_level_with_rover.sh +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/deploy_level_with_rover.sh @@ -25,5 +25,6 @@ fi -lz /tf/caf/landingzones/caf_solution${ADDON_NAME} \ -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/configuration/${LEVEL_NAME}/${LZ_NAME} \ -tfstate ${LZ_NAME}.tfstate \ + -var tags='{testing_job_id='$TF_VAR_environment'}' \ -level ${LEVEL_NAME} \ - -a ${ACTION} + -a ${ACTION} \ No newline at end of file diff --git a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh index 3f2fb32..77e0147 100755 --- a/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh +++ b/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/scripts/launchpad.sh @@ -18,6 +18,7 @@ then -lz /tf/caf/landingzones/caf_launchpad \ -var-folder /tf/caf/enterprise_scale/construction_sets/aks/online/aks_secure_baseline/landingzone/configuration/level0/launchpad \ -launchpad \ + -var tags='{testing_job_id='"$TF_VAR_environment"'}' \ -level level0 \ -a ${ACTION} else