From c781e1e5d4700dff42a80d048fab2b2df0e44fc4 Mon Sep 17 00:00:00 2001 From: sarahpeiffer Date: Wed, 29 Sep 2021 14:15:04 -0700 Subject: [PATCH 1/4] Use MSI for arc --- .../ContainerInsightsExtension.Parameters.json | 8 +++++++- .../ServiceGroupRoot/Scripts/pushChartToAcr.sh | 18 ++++++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json b/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json index a8a99e9f6..38927d88d 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json @@ -59,7 +59,13 @@ "name": "CHART_VERSION", "value": "__CHART_VERSION__" } - ] + ], + "identity": { + "type": "userAssigned", + "userAssignedIdentities": [ + "__MANAGED_IDENTITY__" + ] + } } } ] diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 520557592..f605e4066 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -106,15 +106,25 @@ echo "START - Release stage : ${RELEASE_STAGE}" echo "Using acr : ${ACR_NAME}" echo "Using acr repo type: ${REPO_TYPE}" -echo "login to acr:${ACR_NAME} using helm ..." -echo $ACR_APP_SECRET | helm registry login $ACR_NAME --username $ACR_APP_ID --password-stdin +#Login to az cli and authenticate to acr +echo "Login cli using managed identity" +az login --identity if [ $? -eq 0 ]; then - echo "login to acr:${ACR_NAME} using helm completed successfully." + echo "Logged in successfully" else - echo "-e error login to acr:${ACR_NAME} using helm failed. Please review Ev2 pipeline logs for more details on the error." + echo "-e error failed to login to az with managed identity credentials" exit 1 fi +# echo "login to acr:${ACR_NAME} using helm ..." +# echo $ACR_APP_SECRET | helm registry login $ACR_NAME --username $ACR_APP_ID --password-stdin +# if [ $? -eq 0 ]; then +# echo "login to acr:${ACR_NAME} using helm completed successfully." +# else +# echo "-e error login to acr:${ACR_NAME} using helm failed. Please review Ev2 pipeline logs for more details on the error." +# exit 1 +# fi + case $RELEASE_STAGE in Canary) From 4a667d658181dbced7c8c1ddbf19bab96e96afc0 Mon Sep 17 00:00:00 2001 From: sarahpeiffer Date: Thu, 30 Sep 2021 08:48:53 -0700 Subject: [PATCH 2/4] Use MSI for Arc Release --- ...ContainerInsightsExtension.Parameters.json | 20 ------------- .../ScopeBindings/Public.ScopeBindings.json | 28 +++++++++++++++++++ .../Scripts/pushChartToAcr.sh | 26 ++++++++++------- 3 files changed, 44 insertions(+), 30 deletions(-) diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json b/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json index 38927d88d..c13c105e1 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json @@ -31,26 +31,6 @@ "name": "RELEASE_STAGE", "value": "__RELEASE_STAGE__" }, - { - "name": "ACR_APP_ID", - "reference": { - "provider": "AzureKeyVault", - "parameters": { - "secretId": "https://cibuildandreleasekv.vault.azure.net/secrets/ciprodacrappid/e8f47bf7505741ebaf65a4db16ff9fa7" - } - }, - "asSecureValue": "true" - }, - { - "name": "ACR_APP_SECRET", - "reference": { - "provider": "AzureKeyVault", - "parameters": { - "secretId": "https://cibuildandreleasekv.vault.azure.net/secrets/ciprodacrappsecret/8718afcdac114accb8b26f613cef1e1e" - } - }, - "asSecureValue": "true" - }, { "name": "ACR_NAME", "value": "__ACR_NAME__" diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json b/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json index 516eba3e2..b6a6049b7 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json @@ -16,6 +16,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] }, @@ -33,6 +37,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] }, @@ -50,6 +58,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] }, @@ -67,6 +79,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] }, @@ -84,6 +100,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] }, @@ -101,6 +121,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] }, @@ -118,6 +142,10 @@ { "find": "__CHART_VERSION__", "replaceWith": "$(ChartVersion)" + }, + { + "find": "__MANAGED_IDENTITY__", + "replaceWith": "$(ManagedIdentity)" } ] } diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index f605e4066..0b4edbde6 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -112,18 +112,24 @@ az login --identity if [ $? -eq 0 ]; then echo "Logged in successfully" else - echo "-e error failed to login to az with managed identity credentials" + echo "-e error az login with managed identity credentials failed. Please review the Ev2 pipeline logs for more details on the error." exit 1 -fi +fi + +ACCESS_TOKEN=$(az acr login --name ${ACR_NAME} --expose-token --output tsv --query accessToken) +if [ $? -ne 0 ]; then + echo "-e error az acr login failed. Please review the Ev2 pipeline logs for more details on the error." + exit 1 +fi -# echo "login to acr:${ACR_NAME} using helm ..." -# echo $ACR_APP_SECRET | helm registry login $ACR_NAME --username $ACR_APP_ID --password-stdin -# if [ $? -eq 0 ]; then -# echo "login to acr:${ACR_NAME} using helm completed successfully." -# else -# echo "-e error login to acr:${ACR_NAME} using helm failed. Please review Ev2 pipeline logs for more details on the error." -# exit 1 -# fi +echo "login to acr:${ACR_NAME} using helm ..." +echo $ACCESS_TOKEN | helm registry login $ACR_NAME -u 00000000-0000-0000-0000-000000000000 --password-stdin +if [ $? -eq 0 ]; then + echo "login to acr:${ACR_NAME} using helm completed successfully." +else + echo "-e error login to acr:${ACR_NAME} using helm failed. Please review Ev2 pipeline logs for more details on the error." + exit 1 +fi case $RELEASE_STAGE in From ad1b187e78b334152f7511d502ea72c0d976a886 Mon Sep 17 00:00:00 2001 From: sarahpeiffer Date: Thu, 30 Sep 2021 09:24:56 -0700 Subject: [PATCH 3/4] Use CIPROD_ACR AME subscription for shell extension --- .../ServiceModels/Public.ServiceModel.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json b/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json index 71081661a..2af34c16d 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json @@ -33,7 +33,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-Canary-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "Canary" @@ -51,7 +51,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-Pilot-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "Pilot" @@ -69,7 +69,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-LightLoad-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "LightLoad" @@ -87,7 +87,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-MediumLoad-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "MediumLoad" @@ -105,7 +105,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-HighLoad-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "HighLoad" @@ -123,7 +123,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-FF-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "FF" @@ -141,7 +141,7 @@ "AzureResourceGroupName": "ContainerInsightsExtension-MC-Release", "Location": "eastus2", "InstanceOf": "ARC-Extension-ServiceResourceGroupDefinition", - "AzureSubscriptionId": "5fab7b6f-6150-42fe-89e1-0f07a0a9a46f", + "AzureSubscriptionId": "30c56c3a-54da-46ea-b004-06eb33432687", "ScopeTags": [ { "Name": "MC" From 69a8397a2b9fe7693fba7f7a3689fe1cd509177b Mon Sep 17 00:00:00 2001 From: sarahpeiffer Date: Thu, 30 Sep 2021 09:27:45 -0700 Subject: [PATCH 4/4] remove extra line endings --- .../Parameters/ContainerInsightsExtension.Parameters.json | 2 +- .../RolloutSpecs/Public.Canary.RolloutSpec.json | 2 +- .../ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json | 2 +- .../ServiceGroupRoot/Scripts/pushChartToAcr.sh | 2 +- .../ServiceGroupRoot/ServiceModels/Public.ServiceModel.json | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json b/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json index c13c105e1..69e1bcf35 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Parameters/ContainerInsightsExtension.Parameters.json @@ -49,4 +49,4 @@ } } ] -} +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/RolloutSpecs/Public.Canary.RolloutSpec.json b/deployment/arc-k8s-extension/ServiceGroupRoot/RolloutSpecs/Public.Canary.RolloutSpec.json index cde103633..2d0149e24 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/RolloutSpecs/Public.Canary.RolloutSpec.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/RolloutSpecs/Public.Canary.RolloutSpec.json @@ -26,4 +26,4 @@ "dependsOn": [ ] } ] -} +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json b/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json index b6a6049b7..bf61ab7fd 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/ScopeBindings/Public.ScopeBindings.json @@ -150,4 +150,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh index 0b4edbde6..99421b122 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/Scripts/pushChartToAcr.sh @@ -194,4 +194,4 @@ case $RELEASE_STAGE in ;; esac -echo "END - Release stage : ${RELEASE_STAGE}" +echo "END - Release stage : ${RELEASE_STAGE}" \ No newline at end of file diff --git a/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json b/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json index 2af34c16d..6f565d4c4 100644 --- a/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json +++ b/deployment/arc-k8s-extension/ServiceGroupRoot/ServiceModels/Public.ServiceModel.json @@ -156,4 +156,4 @@ ] } ] - } + } \ No newline at end of file