diff --git a/.github/workflows/ByoVnetCI.yml b/.github/workflows/ByoVnetCI.yml index 74536b636..e369f70dc 100644 --- a/.github/workflows/ByoVnetCI.yml +++ b/.github/workflows/ByoVnetCI.yml @@ -203,7 +203,7 @@ jobs: } else { Write-Output "-- Looks like $feature is registered properly" } } - if($params.parameters.azureKeyvaultSecretsProvider.value -eq $true) { + if($params.parameters.keyVaultAksCSI.value -eq $true) { $feature='AKS-AzureKeyVaultSecretsProvider' write-output "-- $feature" $featureCsi = $aksfeatures | Where-Object {$_.name -like "*$feature"} @@ -336,7 +336,7 @@ jobs: $paramFileContent=Get-Content $paramFilePath $params=$paramFileContent|ConvertFrom-Json - if($params.parameters.createKV.value -eq $true) { + if($params.parameters.keyVaultCreate.value -eq $true) { Write-Output "Checking for already existing soft deleted KV" #lets do this properly and interrogate the whatif file for the KVNAME @@ -641,7 +641,7 @@ jobs: } Write-Output "Checking for CSI Secrets driver" - if($params.parameters.azureKeyvaultSecretsProvider.value -eq $true) { + if($params.parameters.keyVaultAksCSI.value -eq $true) { $csiEnabled=az aks show -n $AKSNAME -g $RG --query "addonProfiles.omsagent.enabled" -o tsv write-output $csiEnabled diff --git a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json index 84b9c6ddf..536a82208 100644 --- a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json +++ b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json @@ -65,10 +65,10 @@ "SystemPoolType" : { "value" : "Standard" }, - "createKV" : { + "keyVaultCreate" : { "value" : true }, - "azureKeyvaultSecretsProvider" : { + "keyVaultAksCSI" : { "value" : true }, "appgwKVIntegration" : { @@ -87,10 +87,10 @@ "guard" ] }, - "KeyVaultSoftDelete" : { + "keyVaultSoftDelete" : { "value" : false }, - "KeyVaultPurgeProtection" : { + "keyVaultPurgeProtection" : { "value" : false }, "dnsZoneId" : { diff --git a/.github/workflows_dep/AksDeploy-Private.parameters.json b/.github/workflows_dep/AksDeploy-Private.parameters.json index 8b7ab44ff..943d4956d 100644 --- a/.github/workflows_dep/AksDeploy-Private.parameters.json +++ b/.github/workflows_dep/AksDeploy-Private.parameters.json @@ -74,10 +74,10 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json b/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json index 980679350..a48f7f9fa 100644 --- a/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json +++ b/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json @@ -44,10 +44,10 @@ "networkPlugin": { "value": "azure" }, - "KeyVaultSoftDelete" : { + "keyVaultSoftDelete" : { "value" : false }, - "KeyVaultPurgeProtection" : { + "keyVaultPurgeProtection" : { "value" : false } } diff --git a/.github/workflows_dep/regressionparams/key-vault.json b/.github/workflows_dep/regressionparams/key-vault.json index b8c030cb8..beb61140f 100644 --- a/.github/workflows_dep/regressionparams/key-vault.json +++ b/.github/workflows_dep/regressionparams/key-vault.json @@ -32,13 +32,13 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, - "kvIPAllowlist": { + "keyVaultIPAllowlist": { "value": [ "1.2.3.4/32" ] diff --git a/.github/workflows_dep/regressionparams/managed-private-privatelink.json b/.github/workflows_dep/regressionparams/managed-private-privatelink.json index b77a7f010..079064eae 100644 --- a/.github/workflows_dep/regressionparams/managed-private-privatelink.json +++ b/.github/workflows_dep/regressionparams/managed-private-privatelink.json @@ -74,10 +74,10 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/managed-private.json b/.github/workflows_dep/regressionparams/managed-private.json index a80ac7ff3..41b94ee52 100644 --- a/.github/workflows_dep/regressionparams/managed-private.json +++ b/.github/workflows_dep/regressionparams/managed-private.json @@ -59,10 +59,10 @@ "appgwKVIntegration": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/managed-public.json b/.github/workflows_dep/regressionparams/managed-public.json index e491669bf..b40bf6bae 100644 --- a/.github/workflows_dep/regressionparams/managed-public.json +++ b/.github/workflows_dep/regressionparams/managed-public.json @@ -53,10 +53,10 @@ "appgwKVIntegration": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/open-secure.json b/.github/workflows_dep/regressionparams/open-secure.json index f2870a8d0..fc77c7055 100644 --- a/.github/workflows_dep/regressionparams/open-secure.json +++ b/.github/workflows_dep/regressionparams/open-secure.json @@ -23,10 +23,10 @@ "azurepolicy": { "value": "audit" }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true } } diff --git a/.github/workflows_dep/regressionparams/optimised-for-well-architected.json b/.github/workflows_dep/regressionparams/optimised-for-well-architected.json index ab5dfb595..3ad1104ea 100644 --- a/.github/workflows_dep/regressionparams/optimised-for-well-architected.json +++ b/.github/workflows_dep/regressionparams/optimised-for-well-architected.json @@ -73,10 +73,10 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, "upgradeChannel": { diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep new file mode 100644 index 000000000..3a6283f3d --- /dev/null +++ b/bicep/keyvault.bicep @@ -0,0 +1,80 @@ +@minLength(2) +@description('The location to use for the deployment. defaults to Resource Groups location.') +param location string = resourceGroup().location + +@minLength(3) +@maxLength(20) +@description('Used to name all resources') +param resourceName string + +@description('Enable support for private links') +param privateLinks bool = false + +@description('If soft delete protection is enabled') +param keyVaultSoftDelete bool = true + +@description('If purge protection is enabled') +param keyVaultPurgeProtection bool = true + +@description('Add IP to KV firewall allow-list') +param keyVaultIPAllowlist array = [] + +param logAnalyticsWorkspaceId string = '' + +var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' +var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName + +var kvIPRules = [for kvIp in keyVaultIPAllowlist: { + value: kvIp +}] + +resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { + name: akvName + location: location + properties: { + tenantId: subscription().tenantId + sku: { + family: 'A' + name: 'standard' + } + // publicNetworkAccess: whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. + publicNetworkAccess: privateLinks && empty(keyVaultIPAllowlist) ? 'disabled' : 'enabled' + + networkAcls: privateLinks && !empty(keyVaultIPAllowlist) ? { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: kvIPRules + virtualNetworkRules: [] + } : {} + + enableRbacAuthorization: true + enabledForDeployment: false + enabledForDiskEncryption: false + enabledForTemplateDeployment: false + enableSoftDelete: keyVaultSoftDelete + enablePurgeProtection: keyVaultPurgeProtection ? true : json('null') + } +} + +resource kvDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceId)) { + name: 'kvDiags' + scope: kv + properties: { + workspaceId: logAnalyticsWorkspaceId + logs: [ + { + category: 'AuditEvent' + enabled: true + } + ] + metrics: [ + { + category: 'AllMetrics' + enabled: true + } + ] + } +} + +output keyVaultName string = kv.name +output keyVaultId string = kv.id diff --git a/bicep/keyvaultrbac.bicep b/bicep/keyvaultrbac.bicep new file mode 100644 index 000000000..753ff02d3 --- /dev/null +++ b/bicep/keyvaultrbac.bicep @@ -0,0 +1,74 @@ +param keyVaultName string + +@description('An array of Service Principal IDs') +param rbacSecretUserSps array = [] + +@description('An array of Service Principal IDs') +param rbacSecretOfficerSps array = [] + +@description('An array of Service Principal IDs') +param rbacCertOfficerSps array = [] + +@description('An array of User IDs') +param rbacSecretOfficerUsers array = [] + +@description('An array of User IDs') +param rbacCertOfficerUsers array = [] + +var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') +var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') +var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + +resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = { + name: keyVaultName +} + +resource rbacSecretUserSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretUserSps : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultSecretsUserRole) + properties: { + roleDefinitionId: keyVaultSecretsUserRole + principalType: 'ServicePrincipal' + principalId: rbacSp + } +}] + +resource rbacSecretOfficerSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretOfficerSps : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultSecretsOfficerRole) + properties: { + roleDefinitionId: keyVaultSecretsOfficerRole + principalType: 'ServicePrincipal' + principalId: rbacSp + } +}] + +resource rbacCertsOfficerSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacCertOfficerSps : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultCertsOfficerRole) + properties: { + roleDefinitionId: keyVaultCertsOfficerRole + principalType: 'ServicePrincipal' + principalId: rbacSp + } +}] + +resource rbacSecretOfficerUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretOfficerUsers : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultSecretsOfficerRole) + properties: { + roleDefinitionId: keyVaultSecretsOfficerRole + principalType: 'User' + principalId: rbacSp + } +}] + +resource rbacCertsOfficerUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacCertOfficerUsers : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultCertsOfficerRole) + properties: { + roleDefinitionId: keyVaultCertsOfficerRole + principalType: 'User' + principalId: rbacSp + } +}] diff --git a/bicep/main.bicep b/bicep/main.bicep index 3c42389c8..e9690085b 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -138,7 +138,7 @@ module network './network.bicep' = if (custom_vnet) { privateLinks: privateLinks privateLinkSubnetAddressPrefix: privateLinkSubnetAddressPrefix privateLinkAcrId: privateLinks && !empty(registries_sku) ? acr.id : '' - privateLinkAkvId: privateLinks && createKV ? kv.id : '' + privateLinkAkvId: privateLinks && keyVaultCreate ? kv.outputs.keyVaultId : '' acrPrivatePool: acrPrivatePool acrAgentPoolSubnetAddressPrefix: acrAgentPoolSubnetAddressPrefix bastion: bastion @@ -189,131 +189,64 @@ module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) { | . \ | |____ | | \ / / _____ \ | `--' | | `----. | | |__|\__\ |_______| |__| \__/ /__/ \__\ \______/ |_______| |__| */ -@description('Installs the AKS KV CSI provider') -param azureKeyvaultSecretsProvider bool = false - -@description('Rotation poll interval for the AKS KV CSI provider') -param kvPollInterval string = '2m' - -@description('Enables Open Service Mesh') -param openServiceMeshAddon bool = false - -@description('Creates a Key Vault') -param createKV bool = false +@description('Creates a KeyVault') +param keyVaultCreate bool = false @description('If soft delete protection is enabled') -param KeyVaultSoftDelete bool = true +param keyVaultSoftDelete bool = true @description('If purge protection is enabled') -param KeyVaultPurgeProtection bool = true +param keyVaultPurgeProtection bool = true @description('Add IP to KV firewall allow-list') -param kvIPAllowlist array = [] +param keyVaultIPAllowlist array = [] -var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' -var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName - -var kvIPRules = [for kvIp in kvIPAllowlist: { - value: kvIp -}] - -resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = if (createKV) { - name: akvName - location: location - properties: { - tenantId: subscription().tenantId - sku: { - family: 'A' - name: 'standard' - } - // publicNetworkAccess: whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. - publicNetworkAccess: privateLinks && empty(kvIPAllowlist) ? 'disabled' : 'enabled' +@description('Installs the AKS KV CSI provider') +param keyVaultAksCSI bool = false - networkAcls: privateLinks && !empty(kvIPAllowlist) ? { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: kvIPRules - virtualNetworkRules: [] - } : {} +@description('Rotation poll interval for the AKS KV CSI provider') +param keyVaultAksCSIPollInterval string = '2m' - //enabledForTemplateDeployment: true - enableRbacAuthorization: true - enabledForDeployment: false - enabledForDiskEncryption: false - enabledForTemplateDeployment: false - enableSoftDelete: KeyVaultSoftDelete - enablePurgeProtection: KeyVaultPurgeProtection ? true : json('null') +module kv 'keyvault.bicep' = if(keyVaultCreate) { + name: 'keyvault' + params: { + resourceName: resourceName + keyVaultPurgeProtection: keyVaultPurgeProtection + keyVaultSoftDelete: keyVaultSoftDelete + keyVaultIPAllowlist: keyVaultIPAllowlist + location: location + privateLinks: privateLinks } } -var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') -resource kvAppGwSecretsUserRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && appgwKVIntegration) { - scope: kv - name: guid(aks.id, 'AppGw', keyVaultSecretsUserRole) - properties: { - roleDefinitionId: keyVaultSecretsUserRole - principalType: 'ServicePrincipal' - principalId: deployAppGw ? appGwIdentity.properties.principalId : '' - } -} +@description('The principal ID of the user or service principal that requires access to the Key Vault. Set automatedDeployment to toggle between user and service prinicpal') +param keyVaultOfficerRolePrincipalId string = '' +var keyVaultOfficerRolePrincipalIds = [ + keyVaultOfficerRolePrincipalId +] -resource kvCSIdriverSecretsUserRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && azureKeyvaultSecretsProvider) { - scope: kv - name: guid(aks.id, 'CSIDriver', keyVaultSecretsUserRole) - properties: { - roleDefinitionId: keyVaultSecretsUserRole - principalType: 'ServicePrincipal' - principalId: aks.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.objectId - } -} +@description('Parsing an array with union ensures that duplicates are removed, which is great when dealing with highly conditional elements') +var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity.properties.principalId : ''],[keyVaultAksCSI ? aks.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.objectId : '']) -@description('The principal ID of the service principal that has access to the Key Vault') -param kvOfficerRolePrincipalId string = '' -var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') -resource kvUserSecretOfficerRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && !empty(kvOfficerRolePrincipalId)) { - scope: kv - name: guid(aks.id, 'usersecret', keyVaultSecretsOfficerRole) - properties: { - roleDefinitionId: keyVaultSecretsOfficerRole - principalType: automatedDeployment ? 'ServicePrincipal' : 'User' - principalId: kvOfficerRolePrincipalId - } -} +@description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.') +module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) { + name: 'KeyVaultRbac' + params: { + keyVaultName: kv.outputs.keyVaultName + //service principals + rbacSecretUserSps: rbacSecretUserSps + rbacSecretOfficerSps: !empty(keyVaultOfficerRolePrincipalId) && automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] + rbacCertOfficerSps: !empty(keyVaultOfficerRolePrincipalId) && automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] -var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') -resource kvUserCertsOfficerRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && !empty(kvOfficerRolePrincipalId)) { - scope: kv - name: guid(aks.id, 'usercert', keyVaultCertsOfficerRole) - properties: { - roleDefinitionId: keyVaultCertsOfficerRole - principalType: automatedDeployment ? 'ServicePrincipal' : 'User' - principalId: kvOfficerRolePrincipalId + //users + rbacSecretOfficerUsers: !empty(keyVaultOfficerRolePrincipalId) && !automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] + rbacCertOfficerUsers: !empty(keyVaultOfficerRolePrincipalId) && !automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] } } -output keyVaultName string = createKV ? kv.name : '' -output keyVaultId string = createKV ? kv.id : '' - -resource kvDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (createLaw && createKV) { - name: 'kvDiags' - scope: kv - properties: { - workspaceId:aks_law.id - logs: [ - { - category: 'AuditEvent' - enabled: true - } - ] - metrics: [ - { - category: 'AllMetrics' - enabled: true - } - ] - } -} +output keyVaultName string = keyVaultCreate ? kv.outputs.keyVaultName : '' +output keyVaultId string = keyVaultCreate ? kv.outputs.keyVaultId : '' /* ___ ______ .______ @@ -793,6 +726,9 @@ param omsagent bool = false @description('Enable RBAC using AAD') param enableAzureRBAC bool = false +@description('Enables Open Service Mesh') +param openServiceMeshAddon bool = false + @allowed([ '' 'none' @@ -909,13 +845,13 @@ param DefenderForContainers bool = false param JustUseSystemPool bool = false @allowed([ - 'Cost-Optimised' + 'CostOptimised' 'Standard' 'HighSpec' 'Custom' ]) @description('The System Pool Preset sizing') -param SystemPoolType string = 'Cost-Optimised' +param SystemPoolType string = 'CostOptimised' @description('A custom system pool spec') param SystemPoolCustomPreset object = {} @@ -966,7 +902,7 @@ param oidcIssuer bool = false @description('System Pool presets are derived from the recommended system pool specs') var systemPoolPresets = { - 'Cost-Optimised' : { + CostOptimised : { vmSize: 'Standard_B4ms' count: 1 minCount: 1 @@ -974,7 +910,7 @@ var systemPoolPresets = { enableAutoScaling: true availabilityZones: [] } - 'Standard' : { + Standard : { vmSize: 'Standard_DS2_v2' count: 3 minCount: 3 @@ -986,7 +922,7 @@ var systemPoolPresets = { '3' ] } - 'HighSpec' : { + HighSpec : { vmSize: 'Standard_D4s_v3' count: 3 minCount: 3 @@ -1053,9 +989,9 @@ var aks_addons = union({ azureKeyvaultSecretsProvider: { config: { enableSecretRotation: 'true' - rotationPollInterval: kvPollInterval + rotationPollInterval: keyVaultAksCSIPollInterval } - enabled: azureKeyvaultSecretsProvider + enabled: keyVaultAksCSI } openServiceMesh: { enabled: openServiceMeshAddon @@ -1171,6 +1107,8 @@ resource aks 'Microsoft.ContainerService/managedClusters@2022-05-02-preview' = { } output aksClusterName string = aks.name output aksOidcIssuerUrl string = oidcIssuer ? aks.properties.oidcIssuerProfile.issuerURL : '' +output aksNodeResourceGroup string = aks.properties.nodeResourceGroup +//output aksNodePools array = [for nodepool in agentPoolProfiles: name] @description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.') var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet' @@ -1294,11 +1232,11 @@ param createAksMetricAlerts bool = true param AksMetricAlertMetricFrequencyModel string = 'Long' var AlertFrequencyLookup = { - 'Short': { + Short: { evalFrequency: 'PT1M' windowSize: 'PT5M' } - 'Long': { + Long: { evalFrequency: 'PT15M' windowSize: 'PT1H' } diff --git a/docs/ReleasingWizard.md b/docs/ReleasingWizard.md index 4ddb4a559..4783f8932 100644 --- a/docs/ReleasingWizard.md +++ b/docs/ReleasingWizard.md @@ -2,12 +2,12 @@ ## Creating a release -Usually a release of the Web UI will be accompanied by changes to the bicep code. In which case a new symantic release tag needs to be chosen (0.8.2 or 0.8.5 etc). +Usually a release of the Web UI will be accompanied by changes to the bicep code. In which case a new symantec release tag needs to be chosen (0.8.2 or 0.8.5 etc). There is a [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) which is initiated manually but automates the release, all that needs to be provided is the new release tag. ## Releasing just the Web UI -Occassionally there will be UI improvements that we want to release that do not have any dependencies in a new release. +Occasionally there will be UI improvements that we want to release that do not have any dependencies in a new release. For these scenarios, we use the same [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) but choose not to create a new release. Instead, just repeating the release tag that is current. ## Rolling back the release @@ -15,7 +15,7 @@ For these scenarios, we use the same [GitHub action workflow](https://github.com When the release workflow runs, it stores assets of the UI and bicep code in zip files. If we need to rollback a *bad release* then process is as follows -1. In the [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) history, locate the release you want to rollback to. +1. In the [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) history, locate the release you want to rollback to. 2. Download the artifact zip for the `WizardApp` 3. In you local git environment checkout the `gh-pages` branch 4. Extract the contents of the artifact zip over the top of branch diff --git a/helper/src/components/addonsTab.js b/helper/src/components/addonsTab.js index 6f44016bf..ace8de59d 100644 --- a/helper/src/components/addonsTab.js +++ b/helper/src/components/addonsTab.js @@ -330,7 +330,7 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) { updateFn("kvPollInterval", key)} selectedKey={addons.kvPollInterval} + onChange={(ev, { key }) => updateFn("keyVaultAksCSIPollInterval", key)} selectedKey={addons.keyVaultAksCSIPollInterval} options={[ { key: '2m', text: '2 minutes' }, { key: '5m', text: '5 minutes' }, diff --git a/helper/src/components/clusterTab.js b/helper/src/components/clusterTab.js index f161c4ddd..4df0f008b 100644 --- a/helper/src/components/clusterTab.js +++ b/helper/src/components/clusterTab.js @@ -85,7 +85,7 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) { selectedKey={cluster.SystemPoolType} options={[ { "data-testid":'cluster-systempool-none', key: 'none', text: 'No separate system pool: Use a single pool for System and User workloads' }, - { "data-testid":'cluster-systempool-Cost-Optimised', key: 'Cost-Optimised', text: 'Cost-Optimised: use low-cost Burstable VMs, with 1-3 node autoscale' }, + { "data-testid":'cluster-systempool-Cost-Optimised', key: 'CostOptimised', text: 'CostOptimised: use low-cost Burstable VMs, with 1-3 node autoscale' }, { "data-testid":'cluster-systempool-Standard', key: 'Standard', text: 'Standard: use standard 4-core VMs, with 2-3 node autoscale' } ]} onChange={(ev, { key }) => { sliderUpdateFn({SystemPoolType: key}) }} diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js index 6db906a83..c3706534d 100644 --- a/helper/src/components/deployTab.js +++ b/helper/src/components/deployTab.js @@ -58,7 +58,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, ...(net.afw && { azureFirewalls: true, ...(addons.certMan && {certManagerFW: true}), ...(net.vnet_opt === "custom" && defaults.net.vnetFirewallSubnetAddressPrefix !== net.vnetFirewallSubnetAddressPrefix && { vnetFirewallSubnetAddressPrefix: net.vnetFirewallSubnetAddressPrefix }) }), ...(net.vnet_opt === "custom" && net.vnetprivateend && { privateLinks: true, - ...(addons.csisecret === 'akvNew' && deploy.kvIPAllowlist && apiips_array.length > 0 && {kvIPAllowlist: apiips_array }), + ...(addons.csisecret === 'akvNew' && deploy.keyVaultIPAllowlist && apiips_array.length > 0 && {keyVaultIPAllowlist: apiips_array }), ...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}), }), ...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }), @@ -85,9 +85,9 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, ...(addons.appgwKVIntegration && addons.csisecret === 'akvNew' && { appgwKVIntegration: true }) }) }), - ...(addons.csisecret !== "none" && { azureKeyvaultSecretsProvider: true }), - ...(addons.csisecret === 'akvNew' && { createKV: true, ...(deploy.kvCertSecretRole && { kvOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}) }), - ...(addons.csisecret !== "none" && addons.kvPollInterval !== defaults.addons.kvPollInterval && { kvPollInterval: addons.kvPollInterval }), + ...(addons.csisecret !== "none" && { keyVaultAksCSI: true }), + ...(addons.csisecret === 'akvNew' && { keyVaultCreate: true, ...(deploy.kvCertSecretRole && { keyVaultOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}) }), + ...(addons.csisecret !== "none" && addons.keyVaultAksCSIPollInterval !== defaults.addons.keyVaultAksCSIPollInterval && { keyVaultAksCSIPollInterval: addons.keyVaultAksCSIPollInterval }), ...(addons.fluxGitOpsAddon !== defaults.addons.fluxGitOpsAddon && { fluxGitOpsAddon: addons.fluxGitOpsAddon}) } @@ -151,7 +151,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, const params2TfVar = p => Object.keys(p).filter(p => p !== 'adminPrincipalId' && p !== 'acrPushRolePrincipalId' && - p !== 'kvOfficerRolePrincipalId').map(k => { + p !== 'keyVaultOfficerRolePrincipalId').map(k => { const val = p[k] @@ -172,7 +172,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, const params2file = p => Object.keys(p).filter(p => p !== 'adminPrincipalId' && p !== 'acrPushRolePrincipalId' && - p !== 'kvOfficerRolePrincipalId').reduce((a, c) => { return { ...a, parameters: { ...a.parameters, [c]: { value: p[c] } } } }, { + p !== 'keyVaultOfficerRolePrincipalId').reduce((a, c) => { return { ...a, parameters: { ...a.parameters, [c]: { value: p[c] } } } }, { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": {} @@ -343,9 +343,9 @@ az role assignment create --role "Managed Identity Operator" --assignee-principa updateFn("kvCertSecretRole", v)} label="Assign deployment user Certificate and Secret Officer" /> - updateFn("kvIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" /> + updateFn("keyVaultIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" /> - { deploy.kvIPAllowlist && net.vnetprivateend && "Add current IP to KeyVault firewall" will enable KeyVaults PublicNetworkAccess property } + { deploy.keyVaultIPAllowlist && net.vnetprivateend && "Add current IP to KeyVault firewall" will enable KeyVaults PublicNetworkAccess property } diff --git a/helper/src/config.json b/helper/src/config.json index 03d21ca29..1b73f8953 100644 --- a/helper/src/config.json +++ b/helper/src/config.json @@ -15,7 +15,7 @@ "disablePreviews": false, "acrPushRole": true, "kvCertSecretRole": true, - "kvIPAllowlist": false, + "keyVaultIPAllowlist": false, "clusterAdminRole": true, "clusterIPWhitelist" : true, "templateVersions": [{ @@ -34,7 +34,7 @@ "dnsApiPrivateZoneId":"", "autoscale": true, "upgradeChannel": "none", - "SystemPoolType": "Cost-Optimised", + "SystemPoolType": "CostOptimised", "agentCount": 3, "maxCount": 20, "vmSize": "Standard_DS3_v2", @@ -80,7 +80,7 @@ "retentionInDays": 30, "createAksMetricAlerts": true, "csisecret": "none", - "kvPollInterval": "2m", + "keyVaultAksCSIPollInterval": "2m", "kvId": "", "gitops": "none" }, diff --git a/helper/src/configpresets/principals.json b/helper/src/configpresets/principals.json index d4042b873..67135d9fb 100644 --- a/helper/src/configpresets/principals.json +++ b/helper/src/configpresets/principals.json @@ -58,7 +58,7 @@ "icon": "DeveloperTools", "values": { "cluster": { - "SystemPoolType": "Cost-Optimised", + "SystemPoolType": "CostOptimised", "autoscale": false, "upgradeChannel": "none" }, @@ -100,7 +100,7 @@ "icon": "Touch", "values": { "cluster": { - "SystemPoolType": "Cost-Optimised", + "SystemPoolType": "CostOptimised", "autoscale": true, "upgradeChannel": "stable" }, @@ -148,7 +148,7 @@ "icon": "Unlock", "values": { "deploy": { - "kvIPAllowlist": false + "keyVaultIPAllowlist": false }, "cluster": { "enable_aad": false, @@ -220,7 +220,7 @@ "icon": "Lock12", "values": { "deploy": { - "kvIPAllowlist": false + "keyVaultIPAllowlist": false }, "cluster": { "enable_aad": true, @@ -324,7 +324,7 @@ "icon": "ProtectionCenterLogo32", "values": { "deploy": { - "kvIPAllowlist": true + "keyVaultIPAllowlist": true }, "cluster": { "enable_aad": true, diff --git a/samples/flux/aks-baseline-config.bicep b/samples/flux/aks-baseline-config.bicep index d535de4b2..a9c3e83bf 100644 --- a/samples/flux/aks-baseline-config.bicep +++ b/samples/flux/aks-baseline-config.bicep @@ -32,7 +32,7 @@ module aksconst '../../bicep/main.bicep' = { retentionInDays: 30 agentCount: 1 JustUseSystemPool: false - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' createEventGrid: true } } diff --git a/samples/flux/azure-docs-config.bicep b/samples/flux/azure-docs-config.bicep index e97319521..c6689f5f0 100644 --- a/samples/flux/azure-docs-config.bicep +++ b/samples/flux/azure-docs-config.bicep @@ -34,7 +34,7 @@ module aksconst '../../bicep/main.bicep' = { retentionInDays: 30 agentCount: 1 JustUseSystemPool: false - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' createEventGrid: true } } diff --git a/samples/peered-vnet/main.bicep b/samples/peered-vnet/main.bicep index 8aa8f1af5..a41799e76 100644 --- a/samples/peered-vnet/main.bicep +++ b/samples/peered-vnet/main.bicep @@ -115,7 +115,7 @@ module gridAks '../../bicep/main.bicep' = { agentCountMax:3 adminPrincipalId: adminPrincipalId JustUseSystemPool: false - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' byoAKSSubnetId: gridVnet.outputs.aksSubnetId AutoscaleProfile: aggressiveAutoScaler //agentVMTaints: [for pool in extraAksNodePools: '${nodeTaintKey}=${pool}:NoExecute'] diff --git a/samples/windows/main.bicep b/samples/windows/main.bicep index bc938d4af..9308d3df8 100644 --- a/samples/windows/main.bicep +++ b/samples/windows/main.bicep @@ -38,7 +38,7 @@ module aks '../../bicep/main.bicep' = { agentCount:1 agentCountMax:3 JustUseSystemPool: true - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' byoAKSSubnetId: vnet.properties.subnets[0].id } }