diff --git a/modules/Microsoft.ContainerService/managedClusters/.test/azure/deploy.test.bicep b/modules/Microsoft.ContainerService/managedClusters/.test/azure/deploy.test.bicep index a83f34c2aa..6f2b1a767f 100644 --- a/modules/Microsoft.ContainerService/managedClusters/.test/azure/deploy.test.bicep +++ b/modules/Microsoft.ContainerService/managedClusters/.test/azure/deploy.test.bicep @@ -158,5 +158,63 @@ module testDeployment '../../deploy.bicep' = { } ] systemAssignedIdentity: true + fluxExtension: { + configurationSettings: { + 'helm-controller.enabled': 'true' + 'source-controller.enabled': 'true' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'true' + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + } + configurations: [ + { + namespace: 'flux-system' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + } + { + namespace: 'flux-system-helm' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' + } + kustomizations: { + infra: { + path: './infrastructure' + dependsOn: [] + timeoutInSeconds: 600 + syncIntervalInSeconds: 600 + validation: 'none' + prune: true + } + apps: { + path: './apps/staging' + dependsOn: [ + 'infra' + ] + timeoutInSeconds: 600 + syncIntervalInSeconds: 600 + retryIntervalInSeconds: 120 + prune: true + } + } + } + ] + } } } diff --git a/modules/Microsoft.ContainerService/managedClusters/deploy.bicep b/modules/Microsoft.ContainerService/managedClusters/deploy.bicep index 53ac8e1856..1b020ca164 100644 --- a/modules/Microsoft.ContainerService/managedClusters/deploy.bicep +++ b/modules/Microsoft.ContainerService/managedClusters/deploy.bicep @@ -295,6 +295,13 @@ param tags object = {} @description('Optional. The resource ID of the disc encryption set to apply to the cluster. For security reasons, this value should be provided.') param diskEncryptionSetID string = '' +@description('Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension.') +@secure() +param fluxConfigurationProtectedSettings object = {} + +@description('Optional. Settings and configurations for the flux extension.') +param fluxExtension object = {} + @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource.') @allowed([ 'allLogs' @@ -553,6 +560,23 @@ module managedCluster_agentPools 'agentPools/deploy.bicep' = [for (agentPool, in } }] +module managedCluster_extension '../../Microsoft.KubernetesConfiguration/extensions/deploy.bicep' = if (!empty(fluxExtension)) { + name: '${uniqueString(deployment().name, location)}-ManagedCluster-FluxExtension' + params: { + clusterName: managedCluster.name + configurationProtectedSettings: !empty(fluxConfigurationProtectedSettings) ? fluxConfigurationProtectedSettings : {} + configurationSettings: contains(fluxExtension, 'configurationSettings') ? fluxExtension.configurationSettings : {} + enableDefaultTelemetry: enableReferencedModulesTelemetry + extensionType: 'microsoft.flux' + fluxConfigurations: fluxExtension.configurations + location: location + name: 'flux' + releaseNamespace: 'flux-system' + releaseTrain: contains(fluxExtension, 'releaseTrain') ? fluxExtension.releaseTrain : 'Stable' + version: contains(fluxExtension, 'version') ? fluxExtension.version : '' + } +} + resource managedCluster_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { name: '${managedCluster.name}-${lock}-lock' properties: { diff --git a/modules/Microsoft.ContainerService/managedClusters/readme.md b/modules/Microsoft.ContainerService/managedClusters/readme.md index 71d6b554d2..2b1e7a5fe9 100644 --- a/modules/Microsoft.ContainerService/managedClusters/readme.md +++ b/modules/Microsoft.ContainerService/managedClusters/readme.md @@ -19,6 +19,8 @@ This module deploys Azure Kubernetes Cluster (AKS). | `Microsoft.ContainerService/managedClusters` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2022-09-01/managedClusters) | | `Microsoft.ContainerService/managedClusters/agentPools` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.ContainerService/2022-09-01/managedClusters/agentPools) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | ## Parameters @@ -102,6 +104,8 @@ This module deploys Azure Kubernetes Cluster (AKS). | `enablePrivateClusterPublicFQDN` | bool | `False` | | Whether to create additional public FQDN for private cluster or not. | | `enableRBAC` | bool | `True` | | Whether to enable Kubernetes Role-Based Access Control. | | `enableSecretRotation` | string | `'false'` | `[false, true]` | Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation. | +| `fluxConfigurationProtectedSettings` | secureObject | `{object}` | | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | +| `fluxExtension` | object | `{object}` | | Settings and configurations for the flux extension. | | `httpApplicationRoutingEnabled` | bool | `False` | | Specifies whether the httpApplicationRouting add-on is enabled or not. | | `ingressApplicationGatewayEnabled` | bool | `False` | | Specifies whether the ingressApplicationGateway (AGIC) add-on is enabled or not. | | `kubeDashboardEnabled` | bool | `False` | | Specifies whether the kubeDashboard add-on is enabled or not. | @@ -365,7 +369,12 @@ userAssignedIdentities: { ## Cross-referenced modules -_None_ +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `Microsoft.KubernetesConfiguration/extensions` | Local reference | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | Local reference | ## Deployment examples @@ -468,6 +477,59 @@ module managedClusters './Microsoft.ContainerService/managedClusters/deploy.bice diagnosticWorkspaceId: '' diskEncryptionSetID: '' enableDefaultTelemetry: '' + fluxExtension: { + configurations: [ + { + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + namespace: 'flux-system' + } + { + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/Azure/gitops-flux2-kustomize-helm-mt' + } + kustomizations: { + apps: { + path: './apps/staging' + prune: true + retryIntervalInSeconds: 120 + syncIntervalInSeconds: 600 + timeoutInSeconds: 600 + } + infra: { + dependsOn: [] + path: './infrastructure' + prune: true + syncIntervalInSeconds: 600 + timeoutInSeconds: 600 + validation: 'none' + } + } + namespace: 'flux-system-helm' + } + ] + configurationSettings: { + 'helm-controller.enabled': 'true' + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'true' + 'source-controller.enabled': 'true' + } + } lock: 'CanNotDelete' roleAssignments: [ { @@ -601,6 +663,64 @@ module managedClusters './Microsoft.ContainerService/managedClusters/deploy.bice "enableDefaultTelemetry": { "value": "" }, + "fluxExtension": { + "value": { + "configurations": [ + { + "gitRepository": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + }, + "namespace": "flux-system" + }, + { + "gitRepository": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/Azure/gitops-flux2-kustomize-helm-mt" + }, + "kustomizations": { + "apps": { + "dependsOn": [ + "infra" + ], + "path": "./apps/staging", + "prune": true, + "retryIntervalInSeconds": 120, + "syncIntervalInSeconds": 600, + "timeoutInSeconds": 600 + }, + "infra": { + "dependsOn": [], + "path": "./infrastructure", + "prune": true, + "syncIntervalInSeconds": 600, + "timeoutInSeconds": 600, + "validation": "none" + } + }, + "namespace": "flux-system-helm" + } + ], + "configurationSettings": { + "helm-controller.enabled": "true", + "image-automation-controller.enabled": "false", + "image-reflector-controller.enabled": "false", + "kustomize-controller.enabled": "true", + "notification-controller.enabled": "true", + "source-controller.enabled": "true" + } + } + }, "lock": { "value": "CanNotDelete" }, diff --git a/modules/Microsoft.KubernetesConfiguration/extensions/.test/common/deploy.test.bicep b/modules/Microsoft.KubernetesConfiguration/extensions/.test/common/deploy.test.bicep index fe7a163d10..e190a6addb 100644 --- a/modules/Microsoft.KubernetesConfiguration/extensions/.test/common/deploy.test.bicep +++ b/modules/Microsoft.KubernetesConfiguration/extensions/.test/common/deploy.test.bicep @@ -59,5 +59,20 @@ module testDeployment '../../deploy.bicep' = { releaseNamespace: 'flux-system' releaseTrain: 'Stable' version: '0.5.2' + fluxConfigurations: [ + { + namespace: 'flux-system' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + } + ] } } diff --git a/modules/Microsoft.KubernetesConfiguration/extensions/deploy.bicep b/modules/Microsoft.KubernetesConfiguration/extensions/deploy.bicep index 3ec32c5c9b..ae70ec2e5f 100644 --- a/modules/Microsoft.KubernetesConfiguration/extensions/deploy.bicep +++ b/modules/Microsoft.KubernetesConfiguration/extensions/deploy.bicep @@ -11,6 +11,7 @@ param clusterName string param location string = resourceGroup().location @description('Optional. Configuration settings that are sensitive, as name-value pairs for configuring this extension.') +@secure() param configurationProtectedSettings object = {} @description('Optional. Configuration settings, as name-value pairs for configuring this extension.') @@ -31,6 +32,9 @@ param targetNamespace string = '' @description('Optional. Version of the extension for this extension, if it is "pinned" to a specific version.') param version string = '' +@description('Optional. A list of flux configuraitons.') +param fluxConfigurations array = [] + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' properties: { @@ -68,6 +72,26 @@ resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { } } +module fluxConfiguration '../../Microsoft.KubernetesConfiguration/fluxConfigurations/deploy.bicep' = [for (fluxConfiguration, index) in fluxConfigurations: { + name: '${uniqueString(deployment().name, location)}-ManagedCluster-FluxConfiguration${index}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + clusterName: managedCluster.name + scope: fluxConfiguration.scope + namespace: fluxConfiguration.namespace + sourceKind: contains(fluxConfiguration, 'gitRepository') ? 'GitRepository' : 'Bucket' + name: contains(fluxConfiguration, 'name') ? fluxConfiguration.name : toLower('${managedCluster.name}-fluxconfiguration${index}') + bucket: contains(fluxConfiguration, 'bucket') ? fluxConfiguration.bucket : {} + configurationProtectedSettings: contains(fluxConfiguration, 'configurationProtectedSettings') ? fluxConfiguration.configurationProtectedSettings : {} + gitRepository: contains(fluxConfiguration, 'gitRepository') ? fluxConfiguration.gitRepository : {} + kustomizations: contains(fluxConfiguration, 'kustomizations') ? fluxConfiguration.kustomizations : {} + suspend: contains(fluxConfiguration, 'suspend') ? fluxConfiguration.suspend : false + } + dependsOn: [ + extension + ] +}] + @description('The name of the extension.') output name string = extension.name diff --git a/modules/Microsoft.KubernetesConfiguration/extensions/readme.md b/modules/Microsoft.KubernetesConfiguration/extensions/readme.md index b28119d2a1..abc4de17cf 100644 --- a/modules/Microsoft.KubernetesConfiguration/extensions/readme.md +++ b/modules/Microsoft.KubernetesConfiguration/extensions/readme.md @@ -33,7 +33,8 @@ For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-ar | Resource Type | API Version | | :-- | :-- | -| `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | +| `Microsoft.KubernetesConfiguration/extensions` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/extensions) | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | [2022-03-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.KubernetesConfiguration/2022-03-01/fluxConfigurations) | ## Parameters @@ -49,9 +50,10 @@ For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-ar | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | -| `configurationProtectedSettings` | object | `{object}` | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | +| `configurationProtectedSettings` | secureObject | `{object}` | Configuration settings that are sensitive, as name-value pairs for configuring this extension. | | `configurationSettings` | object | `{object}` | Configuration settings, as name-value pairs for configuring this extension. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | +| `fluxConfigurations` | array | `[]` | A list of flux configuraitons. | | `location` | string | `[resourceGroup().location]` | Location for all resources. | | `releaseNamespace` | string | `''` | Namespace where the extension Release must be placed, for a Cluster scoped extension. If this namespace does not exist, it will be created. | | `releaseTrain` | string | `'Stable'` | ReleaseTrain this extension participates in for auto-upgrade (e.g. Stable, Preview, etc.) - only if autoUpgradeMinorVersion is "true". | @@ -69,7 +71,11 @@ For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-ar ## Cross-referenced modules -_None_ +This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `Microsoft.KubernetesConfiguration/fluxConfigurations` | Local reference | ## Deployment examples @@ -101,6 +107,20 @@ module extensions './Microsoft.KubernetesConfiguration/extensions/deploy.bicep' 'source-controller.enabled': 'true' } enableDefaultTelemetry: '' + fluxConfigurations: [ + { + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + namespace: 'flux-system' + } + ] releaseNamespace: 'flux-system' releaseTrain: 'Stable' version: '0.5.2' @@ -143,6 +163,22 @@ module extensions './Microsoft.KubernetesConfiguration/extensions/deploy.bicep' "enableDefaultTelemetry": { "value": "" }, + "fluxConfigurations": { + "value": [ + { + "gitRepository": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + }, + "namespace": "flux-system" + } + ] + }, "releaseNamespace": { "value": "flux-system" }, diff --git a/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/deploy.bicep b/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/deploy.bicep index 8c39b77609..c9feeebf74 100644 --- a/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/deploy.bicep +++ b/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/deploy.bicep @@ -14,6 +14,7 @@ param location string = resourceGroup().location param bucket object = {} @description('Optional. Key-value pairs of protected configuration settings for the configuration.') +@secure() param configurationProtectedSettings object = {} @description('Optional. Parameters to reconcile to the GitRepository source kind type.') diff --git a/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/readme.md b/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/readme.md index 194ca1c7d3..c1e5e8d461 100644 --- a/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/readme.md +++ b/modules/Microsoft.KubernetesConfiguration/fluxConfigurations/readme.md @@ -52,7 +52,7 @@ For Details see [Prerequisites](https://learn.microsoft.com/en-us/azure/azure-ar | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `bucket` | object | `{object}` | Parameters to reconcile to the GitRepository source kind type. | -| `configurationProtectedSettings` | object | `{object}` | Key-value pairs of protected configuration settings for the configuration. | +| `configurationProtectedSettings` | secureObject | `{object}` | Key-value pairs of protected configuration settings for the configuration. | | `enableDefaultTelemetry` | bool | `True` | Enable telemetry via a Globally Unique Identifier (GUID). | | `gitRepository` | object | `{object}` | Parameters to reconcile to the GitRepository source kind type. | | `kustomizations` | object | `{object}` | Array of kustomizations used to reconcile the artifact pulled by the source type on the cluster. |