Adjust RP deployment for MISE SideCar Container

Deploys MISE Container on the RP VMSS for Prod, INT Environments.
Will have another RP for RP-Config

pkg/deploy/assets/aks-development.json

@@ -85,7 +85,7 @@
             }
         },
         "kubernetesVersion": {
-            "defaultValue": "1.26.6",
+            "defaultValue": "1.29.0",
             "type": "string",
             "metadata": {
                 "description": "The version of Kubernetes."

pkg/deploy/assets/rp-production-parameters.json

@@ -84,6 +84,9 @@
         "fpServicePrincipalId": {
             "value": ""
         },
+        "fpTenantId": {
+            "value": ""
+        },
         "gatewayDomains": {
             "value": ""
         },
@@ -108,6 +111,21 @@
         "mdsdEnvironment": {
             "value": ""
         },
+        "miseAddress": {
+            "value": "http://localhost:5000"
+        },
+        "miseAllowedHosts": {
+            "value": "*"
+        },
+        "miseLogLEVEL": {
+            "value": "Information"
+        },
+        "miseValidAppIDs": {
+            "value": ""
+        },
+        "miseValidAudiences": {
+            "value": ""
+        },
         "nonZonalRegions": {
             "value": [
                 "eastasia",

pkg/deploy/config.go

@@ -67,6 +67,7 @@ type Configuration struct {
 	ExtraServiceKeyvaultAccessPolicies []interface{}          `json:"extraServiceKeyvaultAccessPolicies,omitempty" value:"required"`
 	FluentbitImage                     *string                `json:"fluentbitImage,omitempty" value:"required"`
 	FPClientID                         *string                `json:"fpClientId,omitempty" value:"required"`
+	FPTENANTID                         *string                `json:"fpTenantId,omitempty" value:"required"`
 	FPServerCertCommonName             *string                `json:"fpServerCertCommonName,omitempty"`
 	FPServicePrincipalID               *string                `json:"fpServicePrincipalId,omitempty" value:"required"`
 	GatewayDomains                     []string               `json:"gatewayDomains,omitempty"`
@@ -82,6 +83,11 @@ type Configuration struct {
 	KeyvaultPrefix                     *string                `json:"keyvaultPrefix,omitempty" value:"required"`
 	MDMFrontendURL                     *string                `json:"mdmFrontendUrl,omitempty" value:"required"`
 	MDSDEnvironment                    *string                `json:"mdsdEnvironment,omitempty" value:"required"`
+	MISELOGLEVEL                       *string                `json:"miseLogLevel,omitempty"`
+	MISEADDRESS                        *string                `json:"miseAddress,omitempty"`
+	MISEALLOWEDHOSTS                   *string                `json:"miseAllowedHosts,omitempty"`
+	MISEVALIDAUDIENCES                 []string               `json:"miseValidAudiences,omitempty"`
+	MISEVALIDAPPIDs                    []string               `json:"miseValidAppIDs,omitempty"`
 	NonZonalRegions                    []string               `json:"nonZonalRegions,omitempty"`
 	PortalAccessGroupIDs               []string               `json:"portalAccessGroupIds,omitempty" value:"required"`
 	PortalClientID                     *string                `json:"portalClientId,omitempty" value:"required"`

pkg/deploy/devconfig.go

@@ -143,6 +143,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 			},
 			FluentbitImage:       to.StringPtr(version.FluentbitImage(os.Getenv("USER") + "aro." + _env.Environment().ContainerRegistryDNSSuffix)),
 			FPClientID:           to.StringPtr(os.Getenv("AZURE_FP_CLIENT_ID")),
+			FPTENANTID:           to.StringPtr(os.Getenv("AZURE_TENANT_ID")),
 			FPServicePrincipalID: to.StringPtr(os.Getenv("AZURE_FP_SERVICE_PRINCIPAL_ID")),
 			GatewayDomains: []string{
 				"eastus-shared.ppe.warm.ingest.monitor.core.windows.net",
@@ -167,6 +168,17 @@ func DevConfig(_env env.Core) (*Config, error) {
 			GlobalSubscriptionID:        to.StringPtr(_env.SubscriptionID()),
 			MDMFrontendURL:              to.StringPtr("https://global.ppe.microsoftmetrics.com/"),
 			MDSDEnvironment:             to.StringPtr(version.DevGenevaLoggingEnvironment),
+			MISELOGLEVEL:                to.StringPtr("Information"),
+			MISEADDRESS:                 to.StringPtr("http://localhost:5000"),
+			MISEALLOWEDHOSTS:            to.StringPtr("*"),
+			MISEVALIDAUDIENCES: []string{
+				"https://management.core.windows.net/",
+				_env.Environment().ResourceManagerEndpoint,
+			},
+			MISEVALIDAPPIDs: []string{
+				"2187cde1-7e28-4645-9104-19edfa500053",
+				"2187cde1-7e28-4645-9104-19edfa500052",
+			},
 			PortalAccessGroupIDs: []string{
 				os.Getenv("AZURE_PORTAL_ACCESS_GROUP_IDS"),
 			},
@@ -182,6 +194,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 				"RequireD2sV3Workers",
 				"DisableReadinessDelay",
 				"EnableOCMEndpoints",
+				"EnableMISE",
 			},
 			// TODO update this to support FF
 			RPImagePrefix:                     to.StringPtr(os.Getenv("USER") + "aro.azurecr.io/aro"),

pkg/deploy/generator/resources_rp.go

@@ -467,6 +467,7 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"dbtokenClientId",
 		"fluentbitImage",
 		"fpClientId",
+		"fpTenantId",
 		"fpServicePrincipalId",
 		"gatewayDomains",
 		"gatewayResourceGroupName",
@@ -475,6 +476,9 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"keyvaultPrefix",
 		"mdmFrontendUrl",
 		"mdsdEnvironment",
+		"miseLogLEVEL",
+		"miseAddress",
+		"miseAllowedHosts",
 		"portalAccessGroupIds",
 		"portalClientId",
 		"portalElevatedGroupIds",
@@ -499,6 +503,18 @@ func (g *generator) rpVMSS() *arm.Resource {
 		)
 	}
 
+	// convert array variables to string using ARM string() function to be passed via customScript later
+	for _, variable := range []string{
+		"miseValidAudiences",
+		"miseValidAppIDs",
+	} {
+		parts = append(parts,
+			fmt.Sprintf("'%s=$(base64 -d <<<'''", strings.ToUpper(variable)),
+			fmt.Sprintf("base64(string(parameters('%s')))", variable),
+			"''')\n'",
+		)
+	}
+
 	for _, variable := range []string{
 		"adminApiCaBundle",
 		"armApiCaBundle",
@@ -514,6 +530,10 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"'MDMIMAGE=''"+version.MdmImage("")+"''\n'",
 	)
 
+	parts = append(parts,
+		"'MISEIMAGE=''"+version.MiseImage("")+"''\n'",
+	)
+
 	parts = append(parts,
 		"'LOCATION=$(base64 -d <<<'''",
 		"base64(resourceGroup().location)",

pkg/deploy/generator/scripts/rpVMSS.sh

@@ -130,9 +130,11 @@ mkdir -p /root/.docker
 REGISTRY_AUTH_FILE=/root/.docker/config.json az acr login --name "$(sed -e 's|.*/||' <<<"$ACRRESOURCEID")"
 
 MDMIMAGE="${RPIMAGE%%/*}/${MDMIMAGE##*/}"
+MISEIMAGE="${RPIMAGE%%/*}/${MISEIMAGE##*/}"
 docker pull "$MDMIMAGE"
 docker pull "$RPIMAGE"
 docker pull "$FLUENTBITIMAGE"
+docker pull "$MISEIMAGE"
 
 az logout
 
@@ -264,6 +266,101 @@ StartLimitInterval=0
 WantedBy=multi-user.target
 EOF
 
+mkdir -p /app/mise
+echo "configuring MISE service"
+cat >/etc/sysconfig/mise <<EOF
+AZURECLOUDNAME='$AZURECLOUDNAME'
+ARMCLIENTID='$ARMCLIENTID'
+FPCLIENTID='$FPCLIENTID'
+FPTENANTID='$FPTENANTID'
+MISEIMAGE='$MISEIMAGE'
+MISELOGLEVEL='$MISELOGLEVEL'
+MISE_ADDRESS='$MISEADDRESS'
+MISEALLOWEDHOSTS='$MISEALLOWEDHOSTS'
+MISEVALIDAUDIENCES='$MISEVALIDAUDIENCES'
+MISEVALIDAPPIDS='$MISEVALIDAPPIDS'
+EOF
+
+LOGININSTANCE="https://login.microsoftonline.com"
+if [[ $AZURECLOUDNAME == "AzureUSGovernment" ]]; then
+  LOGININSTANCE="https://login.microsoftonline.us"
+fi
+
+cat >/app/appsettings.json <<EOF
+{
+    "Version": "1",
+    "HeartbeatIntervalMs": 5000,
+    "AzureAd": {
+        "Instance": "$LOGININSTANCE",
+        "ClientId": "$FPCLIENTID",
+        "TenantId": "$FPTENANTID",
+        "MinimumDataClassificationCategory": "SystemMetadata",
+        "InboundPolicies": [
+            {
+                "Label": "aro-policy",
+                "Authority": "$LOGININSTANCE/$FPTENANTID/v2.0",
+                "AuthenticationSchemes": [
+                    "Bearer"
+                ],
+                "ValidAudiences": $MISEVALIDAUDIENCES,
+                "ValidApplicationIds": $MISEVALIDAPPIDS
+            }
+        ],
+        "Logging": {
+            "LogLevel": "$MISELOGLEVEL"
+        },
+        "Modules": {
+            "TrV2": {
+                "ModuleType": "TrV2Module",
+                "Enabled": true
+            }
+        }
+    },
+    "AllowedHosts": "$MISEALLOWEDHOSTS",
+    "Kestrel": {
+        "Endpoints": {
+            "Http": {
+                "Url": "$MISEADDRESS"
+            }
+        }
+    },
+    "Logging": {
+        "LogLevel": {
+            "Default": "$MISELOGLEVEL",
+            "Microsoft": "$MISELOGLEVEL",
+            "Microsoft.Hosting.Lifetime": "$MISELOGLEVEL"
+        }
+    }
+}
+EOF
+
+cat >/etc/systemd/system/mise.service <<'EOF'
+[Unit]
+After=network-online.target
+Wants=network-online.target
+StartLimitIntervalSec=0
+
+[Service]
+RestartSec=1s
+EnvironmentFile=/etc/sysconfig/mise
+ExecStartPre=-/usr/bin/docker rm -f %N
+ExecStart=/usr/bin/docker run \
+  -p 5000:5000 \
+  -v /app/appsettings.json:/app/appsettings.json \
+  --hostname %H \
+  --name %N \
+  --net=host \
+  --rm \
+  $MISEIMAGE
+ExecStop=/usr/bin/docker stop %N
+Restart=always
+RestartSec=3
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
 echo "configuring aro-rp service"
 cat >/etc/sysconfig/aro-rp <<EOF
 ACR_RESOURCE_ID='$ACRRESOURCEID'
@@ -286,12 +383,14 @@ KEYVAULT_PREFIX='$KEYVAULTPREFIX'
 MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE=RP
 MDSD_ENVIRONMENT='$MDSDENVIRONMENT'
+MISE_ADDRESS='$MISEADDRESS'
 RP_FEATURES='$RPFEATURES'
 RPIMAGE='$RPIMAGE'
 ARO_INSTALL_VIA_HIVE='$CLUSTERSINSTALLVIAHIVE'
 ARO_HIVE_DEFAULT_INSTALLER_PULLSPEC='$CLUSTERDEFAULTINSTALLERPULLSPEC'
 ARO_ADOPT_BY_HIVE='$CLUSTERSADOPTBYHIVE'
 USE_CHECKACCESS='$USECHECKACCESS'
+ARO_MISE_AUTH_ENABLED='$ARO_MISE_AUTH_ENABLED'
 EOF
 
 cat >/etc/systemd/system/aro-rp.service <<'EOF'
@@ -680,7 +779,7 @@ cat >/etc/default/vsa-nodescan-agent.config <<EOF
 EOF
 
 echo "enabling aro services"
-for service in aro-dbtoken aro-monitor aro-portal aro-rp auoms azsecd azsecmond mdsd mdm chronyd fluentbit; do
+for service in aro-dbtoken aro-monitor aro-portal aro-rp mise auoms azsecd azsecmond mdsd mdm chronyd fluentbit; do
   systemctl enable $service.service
 done
 

pkg/deploy/generator/templates_rp.go

@@ -52,6 +52,7 @@ func (g *generator) rpTemplate() *arm.Template {
 			"disableCosmosDBFirewall",
 			"fluentbitImage",
 			"fpClientId",
+			"fpTenantId",
 			"fpServicePrincipalId",
 			"ipRules",
 			"keyvaultPrefix",
@@ -62,6 +63,11 @@ func (g *generator) rpTemplate() *arm.Template {
 			"ipRules",
 			"mdmFrontendUrl",
 			"mdsdEnvironment",
+			"miseLogLEVEL",
+			"miseAddress",
+			"miseAllowedHosts",
+			"miseValidAudiences",
+			"miseValidAppIDs",
 			"nonZonalRegions",
 			"portalAccessGroupIds",
 			"portalClientId",
@@ -120,6 +126,19 @@ func (g *generator) rpTemplate() *arm.Template {
 		case "rpVmssCapacity":
 			p.Type = "int"
 			p.DefaultValue = 3
+		case "miseLogLEVEL":
+			p.Type = "string"
+			p.DefaultValue = "Information"
+		case "miseAddress":
+			p.Type = "string"
+			p.DefaultValue = "http://localhost:5000"
+		case "miseAllowedHosts":
+			p.Type = "string"
+			p.DefaultValue = "*"
+		case "miseValidAudiences":
+			p.Type = "array"
+		case "miseValidAppIDs":
+			p.Type = "array"
 		case "nonZonalRegions":
 			p.Type = "array"
 			p.DefaultValue = []string{

pkg/util/version/const.go

@@ -64,3 +64,8 @@ func MUOImage(acrDomain string) string {
 func GateKeeperImage(acrDomain string) string {
 	return acrDomain + "/gatekeeper:v3.11.1"
 }
+
+// MiseImage contains the location of the Mise container image
+func MiseImage(acrDomain string) string {
+	return acrDomain + "/mise:1.0.02609.71-mise-cbl-mariner2.0-distroless"
+}