From 910d3cd8d59f0013b808b1370b31d7777398c657 Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Tue, 7 May 2024 10:33:03 +0200 Subject: [PATCH] Remove velero app registration auth --- .../base-infrastructure/bootstrap.sh | 2 - scripts/radix-zone/radix_zone_c2.env | 1 - scripts/radix-zone/radix_zone_dev.env | 1 - scripts/radix-zone/radix_zone_playground.env | 1 - scripts/radix-zone/radix_zone_prod.env | 1 - scripts/velero/bootstrap.sh | 61 +------------------ .../install_prerequisites_in_cluster.sh | 49 --------------- scripts/velero/teardown.sh | 5 -- .../modules/storageaccount/main.tf | 16 ----- .../modules/storageaccount/variables.tf | 5 -- .../subscriptions/s940/c2/common/main.tf | 1 - .../subscriptions/s940/c2/common/variables.tf | 1 - .../subscriptions/s940/extmon/common/main.tf | 1 - .../s940/extmon/common/variables.tf | 1 - .../subscriptions/s940/prod/common/main.tf | 1 - .../s940/prod/common/variables.tf | 1 - .../subscriptions/s941/dev/common/main.tf | 1 - .../s941/playground/common/main.tf | 1 - .../s941/playground/common/variables.tf | 1 - 19 files changed, 1 insertion(+), 150 deletions(-) diff --git a/scripts/radix-zone/base-infrastructure/bootstrap.sh b/scripts/radix-zone/base-infrastructure/bootstrap.sh index cfaa1f11b..e30a96302 100755 --- a/scripts/radix-zone/base-infrastructure/bootstrap.sh +++ b/scripts/radix-zone/base-infrastructure/bootstrap.sh @@ -164,7 +164,6 @@ echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CON echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" echo -e " - APP_REGISTRATION_WEB_CONSOLE : $APP_REGISTRATION_WEB_CONSOLE" echo -e " - APP_REGISTRATION_GRAFANA : $APP_REGISTRATION_GRAFANA" -echo -e " - APP_REGISTRATION_VELERO : $APP_REGISTRATION_VELERO" echo -e " - APP_REGISTRATION_SERVICENOW_SERVER : $APP_REGISTRATION_SERVICENOW_SERVER" echo -e "" echo -e " - MI_AKS : $MI_AKS" @@ -474,7 +473,6 @@ function create_base_system_users_and_store_credentials() { create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Service principal that provide read-only access to container registry" create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Service principal that provide push, pull, build in container registry" create_service_principal_and_store_credentials "$APP_REGISTRATION_GRAFANA" "Grafana OAuth" - create_service_principal_and_store_credentials "$APP_REGISTRATION_VELERO" "Used by Velero to access Azure resources" create_service_principal_and_store_credentials "$APP_REGISTRATION_WEB_CONSOLE" "Used by web console for login and other AD information" } diff --git a/scripts/radix-zone/radix_zone_c2.env b/scripts/radix-zone/radix_zone_c2.env index 60e0a05ae..89df06eea 100644 --- a/scripts/radix-zone/radix_zone_c2.env +++ b/scripts/radix-zone/radix_zone_c2.env @@ -99,7 +99,6 @@ AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}" # App registrations APP_REGISTRATION_GRAFANA="ar-radix-grafana-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" -APP_REGISTRATION_VELERO="ar-radix-velero-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" APP_REGISTRATION_RESOURCE_LOCK_OPERATOR="ar-radix-resource-lock-operator-${RADIX_ENVIRONMENT}" diff --git a/scripts/radix-zone/radix_zone_dev.env b/scripts/radix-zone/radix_zone_dev.env index 387c19574..1f5f099df 100644 --- a/scripts/radix-zone/radix_zone_dev.env +++ b/scripts/radix-zone/radix_zone_dev.env @@ -102,7 +102,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}" # App registrations APP_REGISTRATION_GRAFANA="ar-radix-grafana-${CLUSTER_TYPE}" -APP_REGISTRATION_VELERO="radix-velero-${RADIX_ENVIRONMENT}" APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}" APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" diff --git a/scripts/radix-zone/radix_zone_playground.env b/scripts/radix-zone/radix_zone_playground.env index d3513b25d..f055ac83e 100644 --- a/scripts/radix-zone/radix_zone_playground.env +++ b/scripts/radix-zone/radix_zone_playground.env @@ -101,7 +101,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}" # App registrations APP_REGISTRATION_GRAFANA="ar-radix-grafana-${CLUSTER_TYPE}" -APP_REGISTRATION_VELERO="radix-velero-${RADIX_ENVIRONMENT}" APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}" APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" diff --git a/scripts/radix-zone/radix_zone_prod.env b/scripts/radix-zone/radix_zone_prod.env index 03c503be2..7b1f7e706 100644 --- a/scripts/radix-zone/radix_zone_prod.env +++ b/scripts/radix-zone/radix_zone_prod.env @@ -102,7 +102,6 @@ AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}" # App registrations APP_REGISTRATION_GRAFANA="ar-radix-grafana-${CLUSTER_TYPE}" APP_REGISTRATION_EXT_MON="ar-radix-grafana-ext-mon" -APP_REGISTRATION_VELERO="radix-velero-${RADIX_ENVIRONMENT}" APP_REGISTRATION_NETWORKPOLICY_CANARY="ar-radix-networkpolicy-canary" APP_REGISTRATION_WEB_CONSOLE="Omnia Radix Web Console - ${CLUSTER_TYPE}" APP_REGISTRATION_GITHUB_MAINTENANCE="ar-radix-platform-github-${RADIX_ENVIRONMENT}-cluster-maintenance" diff --git a/scripts/velero/bootstrap.sh b/scripts/velero/bootstrap.sh index 2b519c73b..5388af03c 100755 --- a/scripts/velero/bootstrap.sh +++ b/scripts/velero/bootstrap.sh @@ -121,7 +121,6 @@ echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" echo -e " - AZ_VELERO_RESOURCE_GROUP : $AZ_VELERO_RESOURCE_GROUP" echo -e " - AZ_VELERO_STORAGE_ACCOUNT_ID : $AZ_VELERO_STORAGE_ACCOUNT_ID" -echo -e " - APP_REGISTRATION_VELERO : $APP_REGISTRATION_VELERO" echo -e "" echo -e " > WHO:" echo -e " -------------------------------------------------------------------" @@ -144,64 +143,6 @@ if [[ $USER_PROMPT == true ]]; then fi ####################################################################################### -### Resource group and storage container +### Replaced by Terraform ### -echo "" -echo "Create resource group..." -az group create -n "$AZ_VELERO_RESOURCE_GROUP" --location "$AZ_RADIX_ZONE_LOCATION" 2>&1 >/dev/null -echo "Done." - -echo "" -echo "Create storage account..." -az storage account create --name "$AZ_VELERO_STORAGE_ACCOUNT_ID" \ - --resource-group "$AZ_VELERO_RESOURCE_GROUP" \ - --encryption-services blob \ - --https-only true \ - --access-tier Hot \ - --min-tls-version "${AZ_STORAGEACCOUNT_MIN_TLS_VERSION}" \ - --sku "${AZ_STORAGEACCOUNT_SKU}" \ - --kind "${AZ_VELERO_STORAGE_ACCOUNT_KIND}" \ - --access-tier "${AZ_STORAGEACCOUNT_TIER}" - 2>&1 >/dev/null -echo "Done." - -# The blob has to be unique for each cluster, and so we will create a blob when installing the base components for the cluster. -# This blob will be shared among all clusters. Not good. -# We will move the creation of a separate blob per cluster into the "install base components" script. -# echo "" -# echo "Create storage container..." -# az storage container create -n "$AZ_VELERO_STORAGE_BLOB_CONTAINER" \ -# --public-access off \ -# --account-name "$AZ_VELERO_STORAGE_ACCOUNT_ID" \ -# 2>&1 >/dev/null -# echo "Done." - - -####################################################################################### -### Service principal -### - - -printf "Working on \"${APP_REGISTRATION_VELERO}\": Creating service principal..." -AZ_VELERO_SERVICE_PRINCIPAL_SCOPE="$(az group show --name ${AZ_VELERO_RESOURCE_GROUP} | jq -r '.id')" -AZ_VELERO_SERVICE_PRINCIPAL_PASSWORD="$(az ad sp create-for-rbac --name "$APP_REGISTRATION_VELERO" --scope="${AZ_VELERO_SERVICE_PRINCIPAL_SCOPE}" --role "Contributor" --query 'password' -o tsv)" -AZ_VELERO_SERVICE_PRINCIPAL_ID="$(az ad sp list --display-name "$APP_REGISTRATION_VELERO" --query '[0].appId' -o tsv)" -AZ_VELERO_SERVICE_PRINCIPAL_DESCRIPTION="Used by Velero to access Azure resources" - -printf "Update credentials in keyvault..." -update_service_principal_credentials_in_az_keyvault "${APP_REGISTRATION_VELERO}" "${AZ_VELERO_SERVICE_PRINCIPAL_ID}" "${AZ_VELERO_SERVICE_PRINCIPAL_PASSWORD}" "${AZ_VELERO_SERVICE_PRINCIPAL_DESCRIPTION}" -printf "Done.\n" - -# Clean up -unset AZ_VELERO_SERVICE_PRINCIPAL_PASSWORD # Clear credentials from memory - -echo "" -echo "WARNING!" -echo "You _must_ manually set team members as owners for the service principal \"$APP_REGISTRATION_VELERO\"," -echo "as this is not possible to do by script (yet)." -echo "" - -echo "" -echo "Bootstrap of Velero is done!" - diff --git a/scripts/velero/install_prerequisites_in_cluster.sh b/scripts/velero/install_prerequisites_in_cluster.sh index 880db2fa6..e66dc5b2a 100755 --- a/scripts/velero/install_prerequisites_in_cluster.sh +++ b/scripts/velero/install_prerequisites_in_cluster.sh @@ -126,7 +126,6 @@ echo -e "" echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" echo -e " - VELERO_NAMESPACE : $VELERO_NAMESPACE" -echo -e " - APP_REGISTRATION_VELERO : $APP_REGISTRATION_VELERO" echo -e " - CREDENTIALS_TEMPLATE_PATH : $CREDENTIALS_TEMPLATE_PATH" echo -e " - BACKUP_STORAGE_CONTAINER : $CLUSTER_NAME" echo -e "" @@ -188,31 +187,6 @@ function cleanup() { rm -f "$CREDENTIALS_GENERATED_PATH" } -# function generateCredentialsFile() { -# local SP_JSON="$(az keyvault secret show \ -# --vault-name $AZ_RESOURCE_KEYVAULT \ -# --name $APP_REGISTRATION_VELERO | -# jq '.value | fromjson')" - -# # Set variables used in the manifest templates -# local AZURE_SUBSCRIPTION_ID="$AZ_SUBSCRIPTION_ID" -# local AZURE_CLIENT_ID="$(echo $SP_JSON | jq -r '.id')" -# local AZURE_TENANT_ID="$(echo $SP_JSON | jq -r '.tenantId')" -# local AZURE_CLIENT_SECRET="$(echo $SP_JSON | jq -r '.password')" - -# # Use the credentials template as a heredoc, then run the heredoc to generate the credentials file -# CREDENTIALS_GENERATED_PATH="$(mktemp)" -# local tmp_heredoc="$(mktemp)" -# ( -# echo "#!/bin/sh" -# echo "cat <>${CREDENTIALS_GENERATED_PATH}" -# cat ${CREDENTIALS_TEMPLATE_PATH} -# echo "" -# echo "EOF" -# ) >${tmp_heredoc} && chmod +x ${tmp_heredoc} -# source "$tmp_heredoc" -# } - # Run cleanup even if script crashed trap cleanup 0 2 3 15 @@ -268,29 +242,6 @@ az storage account network-rule remove \ --output none \ --only-show-errors -# Velero custom RBAC clusterrole -RBAC_CLUSTERROLE="velero-admin" -printf "\nCreating $RBAC_CLUSTERROLE clusterrole..\n" -cat <&1 >/dev/null diff --git a/scripts/velero/teardown.sh b/scripts/velero/teardown.sh index f70d36ee6..968c5dda1 100755 --- a/scripts/velero/teardown.sh +++ b/scripts/velero/teardown.sh @@ -111,7 +111,6 @@ echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" echo -e " - AZ_VELERO_RESOURCE_GROUP : $AZ_VELERO_RESOURCE_GROUP" echo -e " - AZ_VELERO_STORAGE_ACCOUNT_ID : $AZ_VELERO_STORAGE_ACCOUNT_ID" -echo -e " - APP_REGISTRATION_VELERO : $APP_REGISTRATION_VELERO" echo -e "" echo -e " > WHO:" echo -e " -------------------------------------------------------------------" @@ -152,10 +151,6 @@ echo "Deleting resource group..." az group delete --yes --name "$AZ_VELERO_RESOURCE_GROUP" 2>&1 >/dev/null echo "Done." -echo "" -echo "Deleting service principal..." -delete_ad_app_and_stored_credentials "${APP_REGISTRATION_VELERO}" -echo "Done." ####################################################################################### diff --git a/terraform/subscriptions/modules/storageaccount/main.tf b/terraform/subscriptions/modules/storageaccount/main.tf index 6bec351f0..f181e09a9 100644 --- a/terraform/subscriptions/modules/storageaccount/main.tf +++ b/terraform/subscriptions/modules/storageaccount/main.tf @@ -61,22 +61,6 @@ resource "azurerm_role_assignment" "roleassignment" { depends_on = [azurerm_storage_account.storageaccount] } -# ####################################################################################### -# ### Role assignment for Velero Service Principal to be used to the Storage account -# ### - -data "azuread_service_principal" "velero" { # wip To be changed to workload identity in the future - display_name = var.velero_service_principal -} - -resource "azurerm_role_assignment" "storage_blob_data_conntributor" { - for_each = can(regex("radixvelero.*", var.name)) ? { "${var.name}" : true } : {} - scope = azurerm_storage_account.storageaccount.id - role_definition_name = "Storage Account Contributor" - principal_id = data.azuread_service_principal.velero.id - depends_on = [azurerm_storage_account.storageaccount] -} - ###################################################################################### ## Blob Protection ## diff --git a/terraform/subscriptions/modules/storageaccount/variables.tf b/terraform/subscriptions/modules/storageaccount/variables.tf index 3e601655e..e7963e102 100644 --- a/terraform/subscriptions/modules/storageaccount/variables.tf +++ b/terraform/subscriptions/modules/storageaccount/variables.tf @@ -74,11 +74,6 @@ variable "principal_id" { type = string } -variable "velero_service_principal" { - description = "The Name of the Principal (User, Group or Service Principal) to assign the Role Definition to" - type = string -} - variable "vault_id" { description = "The ID of the Backup Vault" type = string diff --git a/terraform/subscriptions/s940/c2/common/main.tf b/terraform/subscriptions/s940/c2/common/main.tf index ceb0dce8c..86cf835e6 100644 --- a/terraform/subscriptions/s940/c2/common/main.tf +++ b/terraform/subscriptions/s940/c2/common/main.tf @@ -54,7 +54,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = data.azurerm_subnet.this.id - velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group lifecyclepolicy = each.value.lifecyclepolicy } diff --git a/terraform/subscriptions/s940/c2/common/variables.tf b/terraform/subscriptions/s940/c2/common/variables.tf index 0d3430c92..b6a9f9ba4 100644 --- a/terraform/subscriptions/s940/c2/common/variables.tf +++ b/terraform/subscriptions/s940/c2/common/variables.tf @@ -7,7 +7,6 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") - velero_service_principal = optional(string, "ar-radix-velero-c2-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s940/extmon/common/main.tf b/terraform/subscriptions/s940/extmon/common/main.tf index 56c9ac790..fcb2055ae 100644 --- a/terraform/subscriptions/s940/extmon/common/main.tf +++ b/terraform/subscriptions/s940/extmon/common/main.tf @@ -55,7 +55,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = data.azurerm_subnet.this.id - velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group lifecyclepolicy = each.value.lifecyclepolicy } diff --git a/terraform/subscriptions/s940/extmon/common/variables.tf b/terraform/subscriptions/s940/extmon/common/variables.tf index 17af0c987..8b7e7beb1 100644 --- a/terraform/subscriptions/s940/extmon/common/variables.tf +++ b/terraform/subscriptions/s940/extmon/common/variables.tf @@ -7,7 +7,6 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") - velero_service_principal = optional(string, "radix-velero-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s940/prod/common/main.tf b/terraform/subscriptions/s940/prod/common/main.tf index a4765719e..3627a3c42 100644 --- a/terraform/subscriptions/s940/prod/common/main.tf +++ b/terraform/subscriptions/s940/prod/common/main.tf @@ -54,7 +54,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = data.azurerm_subnet.this.id - velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group lifecyclepolicy = each.value.lifecyclepolicy } diff --git a/terraform/subscriptions/s940/prod/common/variables.tf b/terraform/subscriptions/s940/prod/common/variables.tf index cf688672c..c5e80a6df 100644 --- a/terraform/subscriptions/s940/prod/common/variables.tf +++ b/terraform/subscriptions/s940/prod/common/variables.tf @@ -8,7 +8,6 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") - velero_service_principal = optional(string, "radix-velero-prod") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false) diff --git a/terraform/subscriptions/s941/dev/common/main.tf b/terraform/subscriptions/s941/dev/common/main.tf index 16e28482c..7011d4298 100644 --- a/terraform/subscriptions/s941/dev/common/main.tf +++ b/terraform/subscriptions/s941/dev/common/main.tf @@ -54,7 +54,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = data.azurerm_subnet.this.id - velero_service_principal = "radix-velero-${module.config.environment}" vnet_resource_group = module.config.vnet_resource_group lifecyclepolicy = each.value.lifecyclepolicy } diff --git a/terraform/subscriptions/s941/playground/common/main.tf b/terraform/subscriptions/s941/playground/common/main.tf index 1ad3f5d61..6e301e84a 100644 --- a/terraform/subscriptions/s941/playground/common/main.tf +++ b/terraform/subscriptions/s941/playground/common/main.tf @@ -54,7 +54,6 @@ module "storageaccount" { vault_id = module.backupvault.data.backupvault.id policyblobstorage_id = module.backupvault.data.policyblobstorage.id subnet_id = data.azurerm_subnet.this.id - velero_service_principal = each.value.velero_service_principal vnet_resource_group = module.config.vnet_resource_group lifecyclepolicy = each.value.lifecyclepolicy } diff --git a/terraform/subscriptions/s941/playground/common/variables.tf b/terraform/subscriptions/s941/playground/common/variables.tf index 5476c3386..e9fca170c 100644 --- a/terraform/subscriptions/s941/playground/common/variables.tf +++ b/terraform/subscriptions/s941/playground/common/variables.tf @@ -7,7 +7,6 @@ variable "storageaccounts" { account_tier = optional(string, "Standard") account_replication_type = optional(string, "LRS") kind = optional(string, "StorageV2") - velero_service_principal = optional(string, "radix-velero-dev") change_feed_enabled = optional(bool, false) versioning_enabled = optional(bool, false) backup = optional(bool, false)