Merge pull request #1011 from Azure/skuznets/acrpull

ARO-9420: *: add acrpull controller, binding

Author: bennerv

dev-infrastructure/Makefile

@@ -27,23 +27,18 @@ list:
 	@grep '^[^#[:space:]].*:' Makefile
 .PHONY: list
 
-fmt:
-	set -e; \
-	FILES="$$(find . -type f -name "*.bicep*" ! -name "*.tmpl.bicepparam")"; \
-	for file in $$FILES; do \
-	echo "az bicep format --file $${file}"; \
-	az bicep format --file $$file; \
-	done
-.PHONY: fmt
-
-lint:
-	set -e; \
-	FILES="$$(find . -type f -name "*.bicep*" ! -name "*.tmpl.bicepparam")"; \
-	for file in $$FILES; do \
-	echo "az bicep lint --file $${file}"; \
-	az bicep lint --file $$file; \
-	done
-.PHONY: lint
+modules := $(wildcard ./templates/*.bicep)
+parameters := $(filter-out $(wildcard ./templates/*.tmpl.bicepparam),$(wildcard ./templates/*.bicepparam))
+
+fmt: $(modules:.bicep=.bicep.fmt) $(parameters:.bicepparam=.biceparam.fmt)
+
+lint: $(modules:.bicep=.bicep.lint) $(parameters:.bicepparam=.biceparam.lint)
+
+%.bicep.fmt %.bicepparam.fmt:
+	az bicep format --file $(basename $@)
+
+%.bicep.lint %.bicepparam.lint:
+	az bicep lint --file $(basename $@)
 
 feature-registration: # hardcoded to eastus as this is a subscription deployment, not a resource group
 	@az deployment sub create \

dev-infrastructure/modules/aks-cluster-base.bicep

@@ -469,6 +469,42 @@ resource uami_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federate
   }
 ]
 
+//
+//  A C R   P U L L   C O N T R O L L E R
+//
+
+resource pullerIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+  location: location
+  name: 'image-puller'
+}
+
+module acrPullerRoles 'acr/acr-permissions.bicep' = [
+  for (_, i) in acrPullResourceGroups: {
+    name: guid(acrRg[i].id, aksCluster.id, acrPullRoleDefinitionId, 'puller-identity')
+    scope: acrRg[i]
+    params: {
+      principalId: pullerIdentity.properties.principalId
+      acrResourceGroupid: acrRg[i].id
+    }
+  }
+]
+
+@batchSize(1)
+resource puller_fedcred 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2023-01-31' = [
+  for i in range(0, length(workloadIdentities)): {
+    parent: pullerIdentity
+    name: '${workloadIdentities[i].value.uamiName}-${location}-puller-fedcred'
+    properties: {
+      audiences: [
+        'api://AzureCRTokenExchange'
+      ]
+      issuer: aksCluster.properties.oidcIssuerProfile.issuerURL
+      subject: 'system:serviceaccount:${workloadIdentities[i].value.namespace}:${workloadIdentities[i].value.serviceAccountName}'
+    }
+  }
+]
+
+
 // grant aroDevopsMsi the aksClusterAdmin role on the aksCluster so it can
 // deploy services to the cluster
 resource aroDevopsMSIClusterAdmin 'Microsoft.Authorization/roleAssignments@2022-04-01' = {

frontend/Makefile

@@ -5,8 +5,9 @@ HELM_CMD ?= helm upgrade --install
 ifndef COMMIT
 COMMIT := $(shell git rev-parse --short=7 HEAD)
 endif
-ARO_HCP_BASE_IMAGE ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
-ARO_HCP_FRONTEND_IMAGE ?= $(ARO_HCP_BASE_IMAGE)/arohcpfrontend:$(COMMIT)
+ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
+ARO_HCP_IMAGE_REPOSITORY ?= arohcpfrontend
+ARO_HCP_FRONTEND_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(ARO_HCP_IMAGE_REPOSITORY):$(COMMIT)
 
 .DEFAULT_GOAL := frontend
 
@@ -44,11 +45,23 @@ deploy:
 	FRONTEND_MI_CLIENT_ID=$$(az identity show \
 			-g ${RESOURCEGROUP} \
 			-n frontend \
-			--query clientId -o tsv); \
+			--query clientId -o tsv) && \
+	FRONTEND_MI_TENANT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n frontend \
+			--query tenantId -o tsv) &&\
+	IMAGE_PULLER_MI_CLIENT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n image-puller \
+			--query clientId -o tsv) && \
+	IMAGE_PULLER_MI_TENANT_ID=$$(az identity show \
+			-g ${RESOURCEGROUP} \
+			-n image-puller \
+			--query tenantId -o tsv) && \
 	SECRET_STORE_MI_CLIENT_ID=$$(az aks show --resource-group ${RESOURCEGROUP} \
 			--name ${AKS_NAME} \
 			--query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId \
-			--output tsv); \
+			--output tsv) && \
 	DB_URL=$$(az cosmosdb show -n ${DB_NAME} -g ${RESOURCEGROUP} --query documentEndpoint -o tsv) && \
 	TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	kubectl create namespace aro-hcp --dry-run=client -o json | kubectl apply -f - && \
@@ -63,9 +76,14 @@ deploy:
 		--set credsKeyVault.name=${SERVICE_KEY_VAULT} \
 		--set credsKeyVault.secret=${CERTIFICATE_NAME} \
 		--set serviceAccount.workloadIdentityClientId="$${FRONTEND_MI_CLIENT_ID}" \
+		--set serviceAccount.workloadIdentityTenantId="$${FRONTEND_MI_TENANT_ID}" \
+		--set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \
+		--set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \
 		--set configMap.currentVersion=${ARO_HCP_FRONTEND_IMAGE} \
 		--set configMap.location=${LOCATION}  \
 		--set deployment.imageName=${ARO_HCP_FRONTEND_IMAGE} \
+		--set pullBinding.registry=${ARO_HCP_IMAGE_REGISTRY} \
+		--set pullBinding.scope=repository:${ARO_HCP_IMAGE_REPOSITORY}:pull \
 		--namespace aro-hcp
 .PHONY: deploy
 

frontend/deploy/helm/frontend/templates/acrpullbinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: acrpull.microsoft.com/v1beta2
+kind: AcrPullBinding
+metadata:
+  name: pull-binding
+spec:
+  acr:
+    environment: PublicCloud
+    server: {{ .Values.pullBinding.registry }}
+    scope: {{ .Values.pullBinding.scope }}
+  auth:
+    workloadIdentity:
+      serviceAccountRef: frontend
+      clientID: {{ .Values.pullBinding.workloadIdentityClientId }}
+      tenantID: {{ .Values.pullBinding.workloadIdentityTenantId }}
+  serviceAccountName: frontend

frontend/deploy/helm/frontend/templates/serviceaccount.yaml

@@ -3,4 +3,5 @@ kind: ServiceAccount
 metadata:
   annotations:
     azure.workload.identity/client-id: '{{ .Values.serviceAccount.workloadIdentityClientId }}'
+    azure.workload.identity/tenant-id: '{{ .Values.serviceAccount.workloadIdentityTenantId }}'
   name: frontend

frontend/deploy/helm/frontend/values.yaml

@@ -14,3 +14,9 @@ deployment:
   imageName: ""
 serviceAccount:
   workloadIdentityClientId: ""
+  workloadIdentityTenantId: ""
+pullBinding:
+  registry: ""
+  scope: ""
+  workloadIdentityClientId: ""
+  workloadIdentityTenantId: ""