From a93d6e5d8aee375c2cff5826ad2adc54b05aece3 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Tue, 3 Dec 2024 13:53:54 +0100 Subject: [PATCH 1/3] post-infra creation task for local CS development permissions the `local-cs-permissions` task in `dev-infrastructure/Makefile` will set up permissions into OIDC storage accounts, SVC KVs and MC KVs Signed-off-by: Gerd Oberlechner --- dev-infrastructure/Makefile | 22 ++++++++++++++++-- dev-infrastructure/config.tmpl.mk | 4 ++++ dev-infrastructure/scripts/kv-permissions.sh | 24 ++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100755 dev-infrastructure/scripts/kv-permissions.sh diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index 14e3bca82..3d38284c4 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -248,13 +248,18 @@ svc.aks.kubeconfigfile: .PHONY: svc.aks.kubeconfigfile svc.oidc.storage.permissions: - STORAGEACCOUNTID=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${SVC_RESOURCEGROUP} --query id -o tsv) && \ + @STORAGEACCOUNTID=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${SVC_RESOURCEGROUP} --query id -o tsv) && \ az role assignment create \ --role "Storage Blob Data Contributor" \ --assignee ${PRINCIPAL_ID} \ - --scope "$${STORAGEACCOUNTID}" + --scope "$${STORAGEACCOUNTID}" \ + --only-show-errors .PHONY: svc.oidc.storage.permissions +svc.kv.permission: + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(SVC_KV_RESOURCEGROUP) $(SVC_KV_NAME) +.PHONY: svc.kv.permission + svc.init: region svc svc.aks.admin-access svc.aks.kubeconfig metrics-infra svc.enable-aks-metrics svc.oidc.storage.permissions .PHONY: svc.init @@ -356,6 +361,12 @@ mgmt.clean: fi .PHONY: mgmt.clean +mgmt.kv.permission: + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP)aa $(CX_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP)a $(MSI_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP)a $(MGMT_KV_NAME) +.PHONY: mgmt.kv.permission + # ACR global.rg: @@ -501,3 +512,10 @@ infra: region svc.init mgmt.init clean: svc.clean mgmt.clean region.clean .PHONY: clean + +# +# Local CS Development +# + +local-cs-permissions: svc.oidc.storage.permissions svc.kv.permission mgmt.kv.permission +.PHONY: local-cs-permissions diff --git a/dev-infrastructure/config.tmpl.mk b/dev-infrastructure/config.tmpl.mk index 4593f6e18..b3d60d61e 100644 --- a/dev-infrastructure/config.tmpl.mk +++ b/dev-infrastructure/config.tmpl.mk @@ -4,6 +4,7 @@ MGMT_RESOURCEGROUP ?= {{ .mgmt.rg }} REGIONAL_RESOURCEGROUP ?= {{ .regionRG }} SVC_KV_RESOURCEGROUP ?= {{ .serviceKeyVault.rg }} GLOBAL_RESOURCEGROUP ?= {{ .globalRG }} +SVC_KV_NAME ?= {{ .serviceKeyVault.name }} IMAGE_SYNC_RESOURCEGROUP ?= {{ .imageSync.rg }} IMAGE_SYNC_ENVIRONMENT ?= {{ .imageSync.environmentName }} ARO_HCP_IMAGE_ACR ?= {{ .svcAcrName }} @@ -12,3 +13,6 @@ AKS_NAME ?= {{ .aksName }} CS_PG_NAME ?= {{ .clusterService.postgres.name }} MAESTRO_PG_NAME ?= {{ .maestro.postgres.name }} OIDC_STORAGE_ACCOUNT ?= {{ .oidcStorageAccountName }} +CX_KV_NAME ?= {{ .cxKeyVault.name }} +MSI_KV_NAME ?= {{ .msiKeyVault.name }} +MGMT_KV_NAME ?= {{ .mgmtKeyVault.name }} diff --git a/dev-infrastructure/scripts/kv-permissions.sh b/dev-infrastructure/scripts/kv-permissions.sh new file mode 100755 index 000000000..39e5e2b4c --- /dev/null +++ b/dev-infrastructure/scripts/kv-permissions.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +PRINCIPAL_ID=$1 +RG_NAME=$2 +KV_NAME=$3 + +KV_RESOURCE_ID=$(az keyvault show --name ${KV_NAME} --resource-group ${RG_NAME} --query id -o tsv 2>/dev/null) + +if [ -z "${KV_RESOURCE_ID}" ]; then + echo "Error: Key Vault resource ID for ${KV_NAME} in ${RG_NAME} could not be retrieved." + exit 0 +fi + +az role assignment create \ + --role "Key Vault Secrets Officer" \ + --assignee ${PRINCIPAL_ID} \ + --scope ${KV_RESOURCE_ID} \ + --only-show-errors + +az role assignment create \ + --role "Key Vault Certificates Officer" \ + --assignee ${PRINCIPAL_ID} \ + --scope ${KV_RESOURCE_ID} \ + --only-show-errors From 8b2f69a5f4c6642065b15187925066195cf484a8 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Tue, 3 Dec 2024 16:37:31 +0100 Subject: [PATCH 2/3] add certificate user role Signed-off-by: Gerd Oberlechner --- dev-infrastructure/scripts/kv-permissions.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dev-infrastructure/scripts/kv-permissions.sh b/dev-infrastructure/scripts/kv-permissions.sh index 39e5e2b4c..4da80ecb4 100755 --- a/dev-infrastructure/scripts/kv-permissions.sh +++ b/dev-infrastructure/scripts/kv-permissions.sh @@ -22,3 +22,9 @@ az role assignment create \ --assignee ${PRINCIPAL_ID} \ --scope ${KV_RESOURCE_ID} \ --only-show-errors + +az role assignment create \ + --role "Key Vault Certificate User" \ + --assignee ${PRINCIPAL_ID} \ + --scope ${KV_RESOURCE_ID} \ + --only-show-errors From e3aeb6720b14411531cf253effbe4e19d2a8ef26 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Wed, 4 Dec 2024 10:32:54 +0100 Subject: [PATCH 3/3] fix Signed-off-by: Gerd Oberlechner --- dev-infrastructure/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index 3d38284c4..30b1b6dd7 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -362,9 +362,9 @@ mgmt.clean: .PHONY: mgmt.clean mgmt.kv.permission: - @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP)aa $(CX_KV_NAME) - @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP)a $(MSI_KV_NAME) - @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP)a $(MGMT_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(CX_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(MSI_KV_NAME) + @scripts/kv-permissions.sh $(PRINCIPAL_ID) $(MGMT_RESOURCEGROUP) $(MGMT_KV_NAME) .PHONY: mgmt.kv.permission # ACR