implementation of MISE middleware

Azure · Oct 11, 2024 · 0d52bbd · 0d52bbd
1 parent 69378fb
commit 0d52bbd
Show file tree

Hide file tree

Showing 24 changed files with 1,076 additions and 76 deletions.
diff --git a/pkg/deploy/assets/gateway-production.json b/pkg/deploy/assets/gateway-production.json
diff --git a/pkg/deploy/assets/rp-production-parameters.json b/pkg/deploy/assets/rp-production-parameters.json
@@ -75,6 +75,9 @@
         "fpServicePrincipalId": {
             "value": ""
         },
+        "fpTenantId": {
+            "value": ""
+        },
         "gatewayDomains": {
             "value": ""
         },
@@ -99,6 +102,12 @@
         "mdsdEnvironment": {
             "value": ""
         },
+        "miseValidAppIDs": {
+            "value": ""
+        },
+        "miseValidAudiences": {
+            "value": ""
+        },
         "msiRpEndpoint": {
             "value": ""
         },

diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
diff --git a/pkg/deploy/config.go b/pkg/deploy/config.go
@@ -63,6 +63,7 @@ type Configuration struct {
 	ExtraServiceKeyvaultAccessPolicies []interface{}          `json:"extraServiceKeyvaultAccessPolicies,omitempty" value:"required"`
 	FluentbitImage                     *string                `json:"fluentbitImage,omitempty" value:"required"`
 	FPClientID                         *string                `json:"fpClientId,omitempty" value:"required"`
+	FPTENANTID                         *string                `json:"fpTenantId,omitempty" value:"required"`
 	FPServerCertCommonName             *string                `json:"fpServerCertCommonName,omitempty"`
 	FPServicePrincipalID               *string                `json:"fpServicePrincipalId,omitempty" value:"required"`
 	GatewayDomains                     []string               `json:"gatewayDomains,omitempty"`
@@ -78,6 +79,8 @@ type Configuration struct {
 	KeyvaultPrefix                     *string                `json:"keyvaultPrefix,omitempty" value:"required"`
 	MDMFrontendURL                     *string                `json:"mdmFrontendUrl,omitempty" value:"required"`
 	MDSDEnvironment                    *string                `json:"mdsdEnvironment,omitempty" value:"required"`
+	MISEVALIDAUDIENCES                 []string               `json:"miseValidAudiences,omitempty"`
+	MISEVALIDAPPIDs                    []string               `json:"miseValidAppIDs,omitempty"`
 	NonZonalRegions                    []string               `json:"nonZonalRegions,omitempty"`
 	PortalAccessGroupIDs               []string               `json:"portalAccessGroupIds,omitempty" value:"required"`
 	PortalClientID                     *string                `json:"portalClientId,omitempty" value:"required"`

diff --git a/pkg/deploy/devconfig.go b/pkg/deploy/devconfig.go
@@ -152,6 +152,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 			},
 			FluentbitImage:       ptr.To(version.FluentbitImage(azureUniquePrefix + "aro." + _env.Environment().ContainerRegistryDNSSuffix)),
 			FPClientID:           ptr.To(os.Getenv("AZURE_FP_CLIENT_ID")),
+			FPTENANTID:           ptr.To(os.Getenv("AZURE_TENANT_ID")),
 			FPServicePrincipalID: ptr.To(os.Getenv("AZURE_FP_SERVICE_PRINCIPAL_ID")),
 			GatewayDomains: []string{
 				"eastus-shared.ppe.warm.ingest.monitor.core.windows.net",
@@ -174,6 +175,13 @@ func DevConfig(_env env.Core) (*Config, error) {
 			MDMFrontendURL:              ptr.To("https://global.ppe.microsoftmetrics.com/"),
 			MDSDEnvironment:             ptr.To(version.DevGenevaLoggingEnvironment),
 			MsiRpEndpoint:               ptr.To("https://iamaplaceholder.com"),
+			MISEVALIDAUDIENCES: []string{
+				"https://management.core.windows.net/",
+				_env.Environment().ResourceManagerEndpoint,
+			},
+			MISEVALIDAPPIDs: []string{
+				"2187cde1-7e28-4645-9104-19edfa500053",
+			},
 			PortalAccessGroupIDs: []string{
 				os.Getenv("AZURE_PORTAL_ACCESS_GROUP_IDS"),
 			},
@@ -191,6 +199,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 				"EnableOCMEndpoints",
 				"RequireOIDCStorageWebEndpoint",
 				"UseMockMsiRp",
+				"EnableMISE",
 			},
 			// TODO update this to support FF
 			RPImagePrefix:                     ptr.To(azureUniquePrefix + "aro.azurecr.io/aro"),

diff --git a/pkg/deploy/generator/resources_rp.go b/pkg/deploy/generator/resources_rp.go
@@ -376,6 +376,7 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"databaseAccountName",
 		"fluentbitImage",
 		"fpClientId",
+		"fpTenantId",
 		"fpServicePrincipalId",
 		"gatewayDomains",
 		"gatewayResourceGroupName",
@@ -409,6 +410,18 @@ func (g *generator) rpVMSS() *arm.Resource {
 		)
 	}
 
+	// convert array variables to string using ARM string() function to be passed via customScript later
+	for _, variable := range []string{
+		"miseValidAudiences",
+		"miseValidAppIDs",
+	} {
+		parts = append(parts,
+			fmt.Sprintf("'%s=$(base64 -d <<<'''", strings.ToUpper(variable)),
+			fmt.Sprintf("base64(string(parameters('%s')))", variable),
+			"''')\n'",
+		)
+	}
+
 	for _, variable := range []string{
 		"adminApiCaBundle",
 		"armApiCaBundle",
@@ -424,6 +437,14 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"'MDMIMAGE=''"+version.MdmImage("")+"''\n'",
 	)
 
+	parts = append(parts,
+		"'OTELIMAGE=''"+version.OTelImage("")+"''\n'",
+	)
+
+	parts = append(parts,
+		"'MISEIMAGE=''"+version.MiseImage("")+"''\n'",
+	)
+
 	parts = append(parts,
 		"'LOCATION=$(base64 -d <<<'''",
 		"base64(resourceGroup().location)",

diff --git a/pkg/deploy/generator/scripts/gatewayVMSS.sh b/pkg/deploy/generator/scripts/gatewayVMSS.sh
@@ -118,6 +118,15 @@ RPIMAGE='$rpimage'"
         ["gateway_config"]="aro_gateway_conf_file"
         ["fluentbit"]="fluentbit_conf_file"
         ["mdsd"]="mdsd_config_version"
+        ["static_ip_address"]="static_ip_addresses"
+    )
+
+    # shellcheck disable=SC2034
+    # use default podman network with range 10.88.0.0/16
+    local -rA static_ip_addresses=(
+        ["gateway"]="10.88.0.2"
+        ["fluentbit"]="10.88.0.7"
+        ["mdm"]="10.88.0.8"
     )
 
     configure_vmss_aro_services role_gateway \

diff --git a/pkg/deploy/generator/scripts/rpVMSS.sh b/pkg/deploy/generator/scripts/rpVMSS.sh
@@ -45,8 +45,8 @@ main() {
     )
 
     dnf_install_pkgs install_pkgs \
-                     retry_wait_time \
-                     "$pkg_retry_count"
+                      retry_wait_time \
+                      "$pkg_retry_count"
 
     fips_configure
 
@@ -56,22 +56,21 @@ main() {
     # shellcheck disable=SC2153 disable=SC2034
     local -r mdmimage="${RPIMAGE%%/*}/${MDMIMAGE#*/}"
     local -r rpimage="$RPIMAGE"
+    local -r miseimage="${RPIMAGE%%/*}/${MISEIMAGE#*/}"
+    local -r otelimage="$OTELIMAGE"
     # shellcheck disable=SC2034
     local -r fluentbit_image="$FLUENTBITIMAGE"
     # shellcheck disable=SC2034
     local -rA aro_images=(
         ["mdm"]="mdmimage"
         ["rp"]="rpimage"
         ["fluentbit"]="fluentbit_image"
+        ["mise"]="miseimage"
+        ["otel"]="otelimage"
     )
 
     pull_container_images aro_images
 
-    local -r aro_network="aro"
-    # shellcheck disable=SC2034
-    local -rA networks=(
-        ["$aro_network"]="192.168.254.0/24"
-    )
     # shellcheck disable=SC2034
     local -ra enable_ports=(
         # RP frontend
@@ -121,6 +120,26 @@ main() {
 	Match *
 	Port 29230"
 
+    # values are references to variables, they should not be dereferenced here
+    # shellcheck disable=SC2034
+    local -rA aro_configs=(
+        ["rp_config"]="aro_rp_conf_file"
+        ["fluentbit"]="fluentbit_conf_file"
+        ["mdsd"]="mdsd_config_version"
+        ["static_ip_address"]="static_ip_addresses"
+    )
+
+    # shellcheck disable=SC2034
+    # use default podman network with range 10.88.0.0/16
+    local -rA static_ip_addresses=(
+        ["rp"]="10.88.0.2"
+        ["monitor"]="10.88.0.3"
+        ["portal"]="10.88.0.4"
+        ["mise"]="10.88.0.5"
+        ["otel_collector"]="10.88.0.6"
+        ["fluentbit"]="10.88.0.7"
+        ["mdm"]="10.88.0.8"
+    )
 
     # shellcheck disable=SC2034
     local -r mdsd_config_version="$RPMDSDCONFIGVERSION"
@@ -144,6 +163,7 @@ KEYVAULT_PREFIX='$KEYVAULTPREFIX'
 MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE='${role_rp^^}'
 MDSD_ENVIRONMENT='$MDSDENVIRONMENT'
+MISE_ADDRESS='http://${static_ip_addresses["mise"]}:5000'
 RP_FEATURES='$RPFEATURES'
 RPIMAGE='$rpimage'
 ARO_INSTALL_VIA_HIVE='$CLUSTERSINSTALLVIAHIVE'
@@ -154,22 +174,15 @@ OIDC_STORAGE_ACCOUNT_NAME='$OIDCSTORAGEACCOUNTNAME'
 MSI_RP_ENDPOINT='$MSIRPENDPOINT'
 "
 
-    # values are references to variables, they should not be dereferenced here
-    # shellcheck disable=SC2034
-    local -rA aro_configs=(
-        ["rp_config"]="aro_rp_conf_file"
-        ["fluentbit"]="fluentbit_conf_file"
-        ["mdsd"]="mdsd_config_version"
-        ["network"]="aro_network"
-    )
-
     configure_vmss_aro_services role_rp \
                                 aro_images \
                                 aro_configs
 
     # shellcheck disable=SC2034
     local -ra aro_services=(
+        "aro-mise"
         "aro-monitor"
+        "aro-otel-collector"
         "aro-portal"
         "aro-rp"
         "azsecd"