Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removes Radix CR Reader #1569

Merged
merged 2 commits into from
Dec 19, 2024
Merged

Removes Radix CR Reader #1569

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8dbf19b
Removes Radix CR Reader
Richard87 Dec 19, 2024
a78959b
Removes Radix CR Reader
Richard87 Dec 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 4 additions & 6 deletions scripts/radix-zone/base-infrastructure/bootstrap.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,6 @@ echo -e " - AZ_IPPRE_INBOUND_LENGTH : $AZ_IPPRE_INBOUND_L
echo -e " - AZ_RESOURCE_CONTAINER_REGISTRY : $AZ_RESOURCE_CONTAINER_REGISTRY"
echo -e " - AZ_RESOURCE_DNS : $AZ_RESOURCE_DNS"
echo -e ""
echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
echo -e " - APP_REGISTRATION_WEB_CONSOLE : $APP_REGISTRATION_WEB_CONSOLE"
echo -e " - APP_REGISTRATION_GRAFANA : $APP_REGISTRATION_GRAFANA"
Expand Down Expand Up @@ -232,7 +231,7 @@ function create_common_resources() {
--tag "issue" \
--value "letsencrypt.org" \
--output none

az network dns record-set caa add-record \
--resource-group "${AZ_RESOURCE_GROUP_COMMON}" \
--zone-name "${AZ_RESOURCE_DNS}" \
Expand All @@ -242,7 +241,7 @@ function create_common_resources() {
--tag "issue" \
--value "digicert.com" \
--output none

az network dns record-set caa add-record \
--resource-group "${AZ_RESOURCE_GROUP_COMMON}" \
--zone-name "${AZ_RESOURCE_DNS}" \
Expand Down Expand Up @@ -425,7 +424,6 @@ EOF

# Create service principals
function create_base_system_users_and_store_credentials() {
create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Service principal that provide read-only access to container registry"
create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Service principal that provide push, pull, build in container registry"
create_service_principal_and_store_credentials "$APP_REGISTRATION_GRAFANA" "Grafana OAuth"
create_service_principal_and_store_credentials "$APP_REGISTRATION_WEB_CONSOLE" "Used by web console for login and other AD information"
Expand All @@ -441,9 +439,9 @@ function create_servicenow_proxy_server_app_registration() {
"value":"Application.Read",
"type":"User",
"isEnabled":true,
"userConsentDescription":"Allows the app to read ServiceNow applications",
"userConsentDescription":"Allows the app to read ServiceNow applications",
"userConsentDisplayName":"Read applications from ServiceNow",
"adminConsentDescription":"Allows the app to read ServiceNow applications",
"adminConsentDescription":"Allows the app to read ServiceNow applications",
"adminConsentDisplayName":"Read applications from ServiceNow"
}
]
Expand Down
25 changes: 9 additions & 16 deletions scripts/radix-zone/base-infrastructure/lib_acr.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

#######################################################################################
### PURPOSE
###
###

# Library for often used ACR functions.

Expand Down Expand Up @@ -68,13 +68,6 @@ function set_permissions_on_acr() {
local id
printf "Working on container registry \"${AZ_RESOURCE_CONTAINER_REGISTRY}\": "

printf "Setting permissions for \"${AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER}\"..." # radix-cr-reader-dev
id="$(az ad sp list --display-name ${AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD} --query [].appId --output tsv)"
# Delete any existing roles
az role assignment delete --assignee "${id}" --scope "${scope}" --output none
# Configure new roles
az role assignment create --assignee "${id}" --role AcrPull --scope "${scope}" --output none

printf "Setting permissions for \"${AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD}\"..." # radix-cr-cicd-dev
id="$(az ad sp list --filter "displayname eq '${AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD}'" --query [].appId --output tsv)"
# Delete any existing roles
Expand Down Expand Up @@ -253,12 +246,12 @@ stepTimeout: 3600
steps:
- cmd: buildx create --use # start buildkit
- cmd: >-
buildx build {{.Values.PUSH}} {{.Values.CACHE}}
{{.Values.TAGS}}
--file {{.Values.DOCKER_FILE_NAME}}
--cache-from=type=registry,ref={{.Values.DOCKER_REGISTRY}}.azurecr.io/{{.Values.REPOSITORY_NAME}}:radix-cache-{{.Values.BRANCH}} {{.Values.CACHE_TO_OPTIONS}}
.
{{.Values.BUILD_ARGS}}
buildx build {{.Values.PUSH}} {{.Values.CACHE}}
{{.Values.TAGS}}
--file {{.Values.DOCKER_FILE_NAME}}
--cache-from=type=registry,ref={{.Values.DOCKER_REGISTRY}}.azurecr.io/{{.Values.REPOSITORY_NAME}}:radix-cache-{{.Values.BRANCH}} {{.Values.CACHE_TO_OPTIONS}}
.
{{.Values.BUILD_ARGS}}
EOF
printf "Create ACR Task for internal use: ${TASK_NAME} in ACR: ${ACR_NAME}..."
az acr task create \
Expand Down Expand Up @@ -299,7 +292,7 @@ function add_task_credential() {
local TASK_NAME="$1"
local ACR_NAME="$2"
printf "Add credentials for system-assigned identity to task: ${TASK_NAME}..."
if [[
if [[
$(az acr task credential list --registry ${ACR_NAME} --name ${TASK_NAME} | jq '.["'${ACR_NAME}'.azurecr.io"].identity') == null ||
-z $(az acr task credential list --registry ${ACR_NAME} --name ${TASK_NAME} | jq '.["'${ACR_NAME}'.azurecr.io"].identity')
]]; then
Expand Down Expand Up @@ -368,4 +361,4 @@ function run_task() {
echo $? # Exit code of last executed command.

echo "Done."
}
}
14 changes: 6 additions & 8 deletions scripts/radix-zone/base-infrastructure/teardown.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,14 @@

#######################################################################################
### PURPOSE
###
###

# Tear down radix zone infrastructure


#######################################################################################
### INPUTS
###
###

# Required:
# - RADIX_ZONE_ENV : Path to *.env file
Expand All @@ -20,14 +20,14 @@

#######################################################################################
### HOW TO USE
###
###

# RADIX_ZONE_ENV=../radix_zone_playground.env ./teardown.sh


#######################################################################################
### START
###
###

echo ""
echo "Start tear down of Radix Zone... "
Expand Down Expand Up @@ -111,7 +111,6 @@ printf "\n"
printf "\n - AZ_RESOURCE_AAD_SERVER : $AZ_RESOURCE_AAD_SERVER"
printf "\n - AZ_RESOURCE_AAD_CLIENT : $AZ_RESOURCE_AAD_CLIENT"
printf "\n"
printf "\n - AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
printf "\n - AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
printf "\n - AZ_SYSTEM_USER_CLUSTER : $AZ_SYSTEM_USER_CLUSTER"
printf "\n"
Expand Down Expand Up @@ -139,7 +138,6 @@ fi
### Remove infrastructure
###

delete_service_principal_and_stored_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
delete_service_principal_and_stored_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
delete_service_principal_and_stored_credentials "$AZ_SYSTEM_USER_CLUSTER"

Expand All @@ -155,7 +153,7 @@ printf "...Done.\n"

printf "Working on resource groups: \n"
printf "Deleting ${AZ_RESOURCE_GROUP_CLUSTERS}...\n"
az group delete --yes --name "${AZ_RESOURCE_GROUP_CLUSTERS}" --output none
az group delete --yes --name "${AZ_RESOURCE_GROUP_CLUSTERS}" --output none
printf "Deleting ${AZ_RESOURCE_GROUP_COMMON}...\n"
az group delete --yes --name "${AZ_RESOURCE_GROUP_COMMON}" --output none
printf "Deleting ${AZ_RESOURCE_GROUP_MONITORING}...\n"
Expand All @@ -169,4 +167,4 @@ printf "...Done.\n"
###

echo ""
echo "Teardown done!"
echo "Teardown done!"
1 change: 0 additions & 1 deletion scripts/radix-zone/radix_zone_c2.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=2
### System users
###

AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"
Expand Down
1 change: 0 additions & 1 deletion scripts/radix-zone/radix_zone_dev.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=2
### System users
###

AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"
Expand Down
1 change: 0 additions & 1 deletion scripts/radix-zone/radix_zone_playground.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=2
### System users
###

AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"
Expand Down
1 change: 0 additions & 1 deletion scripts/radix-zone/radix_zone_prod.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,6 @@ AZ_RESOURCE_ACR_AGENT_POOL_COUNT=8
### System users
###

AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-platform"
AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-platform"
AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY="radix-app-registry-secret"
AZ_SYSTEM_USER_APP_REGISTRY_USERNAME="radix-app-registry-secret-${RADIX_ZONE}"
Expand Down
1 change: 0 additions & 1 deletion scripts/radix-zone/radix_zone_test.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@ AZ_RESOURCE_DNS="${RADIX_ZONE}.radix.equinor.com"
### System users
###

AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER="radix-cr-reader-${RADIX_ZONE}"
AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD="radix-cr-cicd-${RADIX_ZONE}"
AZ_SYSTEM_USER_CLUSTER="radix-cluster-${RADIX_ENVIRONMENT}"

Expand Down
2 changes: 0 additions & 2 deletions scripts/service-principals-and-aad-apps/bootstrap.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,6 @@ echo -e " - RADIX_ENVIRONMENT : $RADIX_ENVIRONMENT"
echo -e ""
echo -e " > WHAT:"
echo -e " -------------------------------------------------------------------"
echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
echo -e ""
echo -e " > WHO:"
Expand Down Expand Up @@ -150,7 +149,6 @@ fi
### Create service principal
###

create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER" "Provide read-only access to container registry"
create_service_principal_and_store_credentials "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD" "Provide push, pull, build in container registry"

#######################################################################################
Expand Down
12 changes: 5 additions & 7 deletions scripts/service-principals-and-aad-apps/teardown.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@

#######################################################################################
### PURPOSE
###
###

# Teardown radix service principals: delete them and delete credentials in az keyvault


#######################################################################################
### INPUTS
###
###

# Required:
# - RADIX_ZONE_ENV : Path to *.env file
Expand All @@ -21,14 +21,14 @@

#######################################################################################
### HOW TO USE
###
###

# RADIX_ZONE_ENV=../radix-zone/radix_zone_dev.env ./teardown.sh


#######################################################################################
### START
###
###

echo ""
echo "Start teardown radix service principals... "
Expand Down Expand Up @@ -104,7 +104,6 @@ echo -e " - RADIX_ENVIRONMENT : $RADIX_ENVIRONMENT"
echo -e ""
echo -e " > WHAT:"
echo -e " -------------------------------------------------------------------"
echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
echo -e " - AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD : $AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"
echo -e ""
echo -e " > WHO:"
Expand Down Expand Up @@ -142,7 +141,6 @@ function delete_service_principal() {
printf "Done.\n"
}

delete_service_principal "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_READER"
delete_service_principal "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"


Expand All @@ -152,4 +150,4 @@ delete_service_principal "$AZ_SYSTEM_USER_CONTAINER_REGISTRY_CICD"


echo ""
echo "Teardown of radix service principals done!"
echo "Teardown of radix service principals done!"
6 changes: 0 additions & 6 deletions terraform/subscriptions/modules/acr/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,12 +107,6 @@ resource "azurerm_role_assignment" "env" {
principal_id = var.radix_cr_cicd
}

resource "azurerm_role_assignment" "env_pull" {
scope = azurerm_container_registry.env.id
role_definition_name = "AcrPull"
principal_id = var.radix_cr_reader
}

resource "azurerm_private_endpoint" "env" {
name = var.acr == "c2" ? "pe-radix-acr-c2prod" : "pe-radix-acr-${var.acr}"
resource_group_name = var.vnet_resource_group
Expand Down
5 changes: 0 additions & 5 deletions terraform/subscriptions/modules/acr/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,8 +162,3 @@ variable "radix_cr_cicd" {
type = string
description = "ID of radix-cr Contributor"
}

variable "radix_cr_reader" {
type = string
description = "ID of radix-cr Reader"
}
Loading
Loading