Azure · jonathan34c · Aug 9, 2023 · Aug 9, 2023 · Aug 9, 2023 · Aug 10, 2023
@@ -0,0 +1,10 @@
+# Build container for POC usage
+ARG REGISTRY
+FROM ${REGISTRY}/ubi8/ubi-minimal
+RUN microdnf update && microdnf clean all
+RUN curl -o /etc/pki/ca-trust/source/anchors/AMEROOT_ameroot.crt http://crl.microsoft.com/pkiinfra/certs/AMEROOT_ameroot.crt && update-ca-trust
+COPY ./aro /usr/local/bin/
+ENTRYPOINT ["aro"]
+# Endpoint used for healthz. We may also use this endpoint for HTTP handler (configurable)
+EXPOSE 8080/tcp
+USER 1000
@@ -260,3 +260,9 @@ vendor:
 	hack/update-go-module-dependencies.sh
 
 .PHONY: admin.kubeconfig aks.kubeconfig aro az clean client deploy dev-config.yaml discoverycache generate image-aro image-aro-multistage image-fluentbit image-proxy lint-go runlocal-rp proxy publish-image-aro publish-image-aro-multistage publish-image-fluentbit publish-image-proxy secrets secrets-update e2e.test tunnel test-e2e test-go test-python vendor build-all validate-go  unit-test-go coverage-go validate-fips
+
+poc-pkg:
+	helm package poc/pkg
+
+poc-build-deploy:
+	poc/hack/build-deploy.sh $(alias)
@@ -5,104 +5,37 @@ package main
 
 import (
 	"context"
-	"flag"
 	"fmt"
-	"math/rand"
-	"net/http"
 	_ "net/http/pprof"
 	"os"
-	"strings"
-	"time"
 
 	"github.com/Azure/ARO-RP/pkg/env"
 	utillog "github.com/Azure/ARO-RP/pkg/util/log"
 	_ "github.com/Azure/ARO-RP/pkg/util/scheme"
-	"github.com/Azure/ARO-RP/pkg/util/version"
+	"github.com/spf13/pflag"
 )
 
-func usage() {
-	fmt.Fprint(flag.CommandLine.Output(), "usage:\n")
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s dbtoken\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s deploy config.yaml location\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s gateway\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s mirror [release_image...]\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s monitor\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s portal\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s rp\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s operator {master,worker}\n", os.Args[0])
-	fmt.Fprintf(flag.CommandLine.Output(), "  %s update-versions\n", os.Args[0])
-	flag.PrintDefaults()
+var (
+	serverPort string
+	enableMISE bool
+)
+
+func init() {
+	pflag.StringVar(&serverPort, "server-port", "8080", "port to service http requests")
+	pflag.BoolVar(&enableMISE, "enable-mise", false, "enable MISE authentication for http requests")
 }
 
 func main() {
-	rand.Seed(time.Now().UnixNano())
+	pflag.Parse()
 
-	flag.Usage = usage
-	flag.Parse()
-
-	ctx := context.Background()
-	audit := utillog.GetAuditEntry()
 	log := utillog.GetLogger()
 
-	go func() {
-		log.Warn(http.ListenAndServe("localhost:6060", nil))
-	}()
-
-	log.Printf("starting, git commit %s", version.GitCommit)
-
-	var err error
-	switch strings.ToLower(flag.Arg(0)) {
-	case "dbtoken":
-		checkArgs(1)
-		err = dbtoken(ctx, log)
-	case "deploy":
-		checkArgs(3)
-		err = deploy(ctx, log)
-	case "gateway":
-		checkArgs(1)
-		err = gateway(ctx, log)
-	case "mirror":
-		checkMinArgs(1)
-		err = mirror(ctx, log)
-	case "monitor":
-		checkArgs(1)
-		err = monitor(ctx, log)
-	case "rp":
-		checkArgs(1)
-		err = rp(ctx, log, audit)
-	case "portal":
-		checkArgs(1)
-		err = portal(ctx, log, audit)
-	case "operator":
-		checkArgs(2)
-		err = operator(ctx, log)
-	case "update-versions":
-		checkArgs(1)
-		err = updateOCPVersions(ctx, log)
-	default:
-		usage()
-		os.Exit(2)
-	}
-
-	if err != nil {
+	ctx := context.Background()
+	if err := rpPoc(ctx, log); err != nil {
 		log.Fatal(err)
 	}
 }
 
-func checkArgs(required int) {
-	if len(flag.Args()) != required {
-		usage()
-		os.Exit(2)
-	}
-}
-
-func checkMinArgs(required int) {
-	if len(flag.Args()) < required {
-		usage()
-		os.Exit(2)
-	}
-}
-
 func DBName(isLocalDevelopmentMode bool) (string, error) {
 	if !isLocalDevelopmentMode {
 		return "ARO", nil

@@ -0,0 +1,40 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/Azure/ARO-RP/pkg/poc"
+	"github.com/sirupsen/logrus"
+)
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+func rpPoc(ctx context.Context, log *logrus.Entry) error {
+	log.Print("********** ARO-RP on AKS PoC **********")
+	ctx, shutdown := context.WithCancel(ctx)
+	defer shutdown()
+	go handleSigterm(log, shutdown)
+
+	config := poc.FrontendConfig{
+		Port:       serverPort,
+		EnableMISE: enableMISE,
+	}
+
+	frontEnd := poc.NewFrontend(log, config)
+
+	return frontEnd.Run(ctx)
+}
+
+func handleSigterm(log *logrus.Entry, shutdown context.CancelFunc) {
+	signals := make(chan os.Signal, 1)
+	signal.Notify(signals, syscall.SIGTERM)
+	<-signals
+
+	log.Print("received SIGTERM. Terminating...")
+
+	shutdown()
+}
@@ -0,0 +1,113 @@
+package poc
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/sirupsen/logrus"
+)
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+type FrontendConfig struct {
+	Port string
+	// TODO(jonachang) delete this in production
+	EnableMISE bool
+}
+
+type frontend struct {
+	logger *logrus.Entry
+	port   string
+	router chi.Router
+}
+
+func NewFrontend(logger *logrus.Entry, config FrontendConfig) frontend {
+	var router chi.Router
+	if config.EnableMISE {
+		router = getMiseRouter()
+	} else {
+		router = getNonMiseRouter()
+	}
+
+	return frontend{
+		logger: logger,
+		port:   config.Port,
+		router: router,
+	}
+}
+
+func (f *frontend) Run(ctx context.Context) error {
+	router := f.router
+	server := &http.Server{
+		Addr:     ":" + f.port,
+		Handler:  router,
+		ErrorLog: log.New(f.logger.Writer(), "", 0),
+	}
+
+	go func() {
+		f.logger.Info("Starting http server...")
+		if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			f.logger.Fatalf("Server listen/serve error: %s", err)
+		}
+	}()
+
+	<-ctx.Done()
+
+	f.logger.Info("Stopping http server")
+	err := server.Shutdown(context.Background())
+	if err != nil {
+		f.logger.Errorf("Server shutdown error: %s", err)
+	}
+
+	return err
+}
+
+func getBaseRouter() chi.Router {
+	r := chi.NewRouter()
+	r.Use(middleware.Logger)
+	r.Get("/healthz", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+		w.Write([]byte("ok"))
+	})
+	return r
+}
+
+func getMiseRouter() chi.Router {
+	r := getBaseRouter()
+	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
+		miseToken := extractAuthBearerToken(r.Header)
+		miseRespCode, miseRespBody, err := authenticateWithMISE(r.Context(), miseToken, r.Method)
+		if err != nil {
+			err = fmt.Errorf("unable to perform authentication with MISE: %s", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		if miseRespCode != http.StatusOK {
+			err = fmt.Errorf("MISE authentication failed with code %d and body %s", miseRespCode, miseRespBody)
+			http.Error(w, err.Error(), miseRespCode)
+			return
+		}
+		w.Write([]byte("****** Welcome to ARO-RP on AKS PoC mise ******"))
+	})
+	return r
+}
+
+func getNonMiseRouter() chi.Router {
+	r := getBaseRouter()
+	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("****** Welcome to ARO-RP on AKS PoC no mise ******"))
+	})
+	return r
+}
+
+func extractAuthBearerToken(h http.Header) string {
+	auth := h.Get("Authorization")
+	token := strings.TrimPrefix(auth, "Bearer ")
+	return strings.TrimSpace(token)
+}
@@ -0,0 +1,62 @@
+package poc
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+type miseRequestData struct {
+	MiseURL        string
+	OriginalURI    string
+	OriginalMethod string
+	Token          string
+}
+
+const (
+	miseURL   = "http://localhost:5000/ValidateRequest"
+	originURI = "https://server/endpoint"
+)
+
+func authenticateWithMISE(ctx context.Context, token, requestMethod string) (int, string, error) {
+
+	requestData := miseRequestData{
+		MiseURL:        miseURL,
+		OriginalURI:    originURI,
+		OriginalMethod: requestMethod,
+		Token:          token,
+	}
+
+	req, err := createMiseHTTPRequest(ctx, requestData)
+	if err != nil {
+		return 0, "", err
+	}
+
+	// TODO(jonachang): need to cache the client when in production.
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return 0, "", err
+	}
+	defer resp.Body.Close()
+
+	bodyBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return 0, "", fmt.Errorf("error reading response body: %w", err)
+	}
+
+	return resp.StatusCode, string(bodyBytes), nil
+}
+
+func createMiseHTTPRequest(ctx context.Context, data miseRequestData) (*http.Request, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, data.MiseURL, bytes.NewBuffer(nil))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Original-URI", data.OriginalURI)
+	req.Header.Set("Original-Method", data.OriginalMethod)
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", data.Token))
+	return req, nil
+}
@@ -0,0 +1,18 @@
+# Feature
+This project is part of the [migration tasks](https://dev.azure.com/msazure/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/515448/Migration) to migrate the RP application from VMSS to the AKS Cluster and follow the [design](https://dev.azure.com/msazure/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/567165/Mock-RP-Design).
+
+# Pipelines (Build & Release)
+- [RP Infrastructure - INT](https://dev.azure.com/msazure/AzureRedHatOpenShift/_build?definitionId=321081)
+
+# Resources
+- Deployment:
+    - Set up the cluster and deploy the RP application.
+- [Istio](https://dev.azure.com/msazure/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/499024/Istio):
+    - Follow [AKS Instruction](https://learn.microsoft.com/en-us/azure/aks/istio-about) to implement the Istio addon for the AKS cluster.
+    - Use it to create an Istio service mesh and gateway for the RP application.
+- [TLS Certificate](https://learn.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli):
+    - Use the [CSI driver](https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver) to synchronize the Key Vault certificate to AKS.
+    - Create a dummy pod in the `aks-istio-ingress` namespace to synchronize the certificate using the CSI driver.
+- [MISE](https://identitydivision.visualstudio.com/DevEx/_git/MISE?path=%2Fdocs%2FContainer.md&_a=preview):
+    - Currently, follow the [sidecar pattern](https://dev.azure.com/msazure/AzureRedHatOpenShift/_wiki/wikis/AzureRedHatOpenShift.wiki/595474/MISE-istio-external-authorization-V.S.-side-car-pattern) to implement MISE.
+    - To enable MISE authentication, edit the `values.yaml`'s `MISE_AUTH_ENABLED` attribute and `enableMISE` in `pkg>poc>miseAuthentication.go` to be either true or false.
@@ -0,0 +1,8 @@
+# Scripts for ARO-RP on AKS POC
+
+## build-deploy.sh
+- Used to build and deploy ARO-RP from local environment to the test AKS cluster
+- Run this via the Makefile. 
+- In the root ARO-RP directory, run `make alias=*your_alias* poc-build-deploy`
+- This will upload your local RP image to the ACR as `dev/*your_alias*:latest`
+- This will create a namespaces `*your_alias*-dev` where the local RP build will be deployed