implementation of MISE middleware

Azure · Sep 11, 2024 · 65cb0cb · 65cb0cb
1 parent 635c5a3
commit 65cb0cb
Show file tree

Hide file tree

Showing 24 changed files with 1,006 additions and 61 deletions.
diff --git a/pkg/deploy/assets/gateway-production.json b/pkg/deploy/assets/gateway-production.json
diff --git a/pkg/deploy/assets/rp-production-parameters.json b/pkg/deploy/assets/rp-production-parameters.json
@@ -75,6 +75,9 @@
         "fpServicePrincipalId": {
             "value": ""
         },
+        "fpTenantId": {
+            "value": ""
+        },
         "gatewayDomains": {
             "value": ""
         },
@@ -99,6 +102,12 @@
         "mdsdEnvironment": {
             "value": ""
         },
+        "miseValidAppIDs": {
+            "value": ""
+        },
+        "miseValidAudiences": {
+            "value": ""
+        },
         "nonZonalRegions": {
             "value": [
                 "eastasia",

diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
diff --git a/pkg/deploy/config.go b/pkg/deploy/config.go
@@ -63,6 +63,7 @@ type Configuration struct {
 	ExtraServiceKeyvaultAccessPolicies []interface{}          `json:"extraServiceKeyvaultAccessPolicies,omitempty" value:"required"`
 	FluentbitImage                     *string                `json:"fluentbitImage,omitempty" value:"required"`
 	FPClientID                         *string                `json:"fpClientId,omitempty" value:"required"`
+	FPTENANTID                         *string                `json:"fpTenantId,omitempty" value:"required"`
 	FPServerCertCommonName             *string                `json:"fpServerCertCommonName,omitempty"`
 	FPServicePrincipalID               *string                `json:"fpServicePrincipalId,omitempty" value:"required"`
 	GatewayDomains                     []string               `json:"gatewayDomains,omitempty"`
@@ -78,6 +79,8 @@ type Configuration struct {
 	KeyvaultPrefix                     *string                `json:"keyvaultPrefix,omitempty" value:"required"`
 	MDMFrontendURL                     *string                `json:"mdmFrontendUrl,omitempty" value:"required"`
 	MDSDEnvironment                    *string                `json:"mdsdEnvironment,omitempty" value:"required"`
+	MISEVALIDAUDIENCES                 []string               `json:"miseValidAudiences,omitempty"`
+	MISEVALIDAPPIDs                    []string               `json:"miseValidAppIDs,omitempty"`
 	NonZonalRegions                    []string               `json:"nonZonalRegions,omitempty"`
 	PortalAccessGroupIDs               []string               `json:"portalAccessGroupIds,omitempty" value:"required"`
 	PortalClientID                     *string                `json:"portalClientId,omitempty" value:"required"`

diff --git a/pkg/deploy/devconfig.go b/pkg/deploy/devconfig.go
@@ -152,6 +152,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 			},
 			FluentbitImage:       to.StringPtr(version.FluentbitImage(azureUniquePrefix + "aro." + _env.Environment().ContainerRegistryDNSSuffix)),
 			FPClientID:           to.StringPtr(os.Getenv("AZURE_FP_CLIENT_ID")),
+			FPTENANTID:           to.StringPtr(os.Getenv("AZURE_TENANT_ID")),
 			FPServicePrincipalID: to.StringPtr(os.Getenv("AZURE_FP_SERVICE_PRINCIPAL_ID")),
 			GatewayDomains: []string{
 				"eastus-shared.ppe.warm.ingest.monitor.core.windows.net",
@@ -173,6 +174,13 @@ func DevConfig(_env env.Core) (*Config, error) {
 			GlobalSubscriptionID:        to.StringPtr(_env.SubscriptionID()),
 			MDMFrontendURL:              to.StringPtr("https://global.ppe.microsoftmetrics.com/"),
 			MDSDEnvironment:             to.StringPtr(version.DevGenevaLoggingEnvironment),
+			MISEVALIDAUDIENCES: []string{
+				"https://management.core.windows.net/",
+				_env.Environment().ResourceManagerEndpoint,
+			},
+			MISEVALIDAPPIDs: []string{
+				"2187cde1-7e28-4645-9104-19edfa500053",
+			},
 			PortalAccessGroupIDs: []string{
 				os.Getenv("AZURE_PORTAL_ACCESS_GROUP_IDS"),
 			},
@@ -189,6 +197,7 @@ func DevConfig(_env env.Core) (*Config, error) {
 				"DisableReadinessDelay",
 				"EnableOCMEndpoints",
 				"RequireOIDCStorageWebEndpoint",
+				"EnableMISE",
 			},
 			// TODO update this to support FF
 			RPImagePrefix:                     to.StringPtr(azureUniquePrefix + "aro.azurecr.io/aro"),

diff --git a/pkg/deploy/generator/resources_rp.go b/pkg/deploy/generator/resources_rp.go
@@ -376,6 +376,7 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"databaseAccountName",
 		"fluentbitImage",
 		"fpClientId",
+		"fpTenantId",
 		"fpServicePrincipalId",
 		"gatewayDomains",
 		"gatewayResourceGroupName",
@@ -408,6 +409,18 @@ func (g *generator) rpVMSS() *arm.Resource {
 		)
 	}
 
+	// convert array variables to string using ARM string() function to be passed via customScript later
+	for _, variable := range []string{
+		"miseValidAudiences",
+		"miseValidAppIDs",
+	} {
+		parts = append(parts,
+			fmt.Sprintf("'%s=$(base64 -d <<<'''", strings.ToUpper(variable)),
+			fmt.Sprintf("base64(string(parameters('%s')))", variable),
+			"''')\n'",
+		)
+	}
+
 	for _, variable := range []string{
 		"adminApiCaBundle",
 		"armApiCaBundle",
@@ -423,6 +436,14 @@ func (g *generator) rpVMSS() *arm.Resource {
 		"'MDMIMAGE=''"+version.MdmImage("")+"''\n'",
 	)
 
+	parts = append(parts,
+		"'OTELIMAGE=''"+version.OTelImage("")+"''\n'",
+	)
+
+	parts = append(parts,
+		"'MISEIMAGE=''"+version.MiseImage("")+"''\n'",
+	)
+
 	parts = append(parts,
 		"'LOCATION=$(base64 -d <<<'''",
 		"base64(resourceGroup().location)",

diff --git a/pkg/deploy/generator/scripts/rpVMSS.sh b/pkg/deploy/generator/scripts/rpVMSS.sh
@@ -45,8 +45,8 @@ main() {
     )
 
     dnf_install_pkgs install_pkgs \
-                     retry_wait_time \
-                     "$pkg_retry_count"
+                      retry_wait_time \
+                      "$pkg_retry_count"
 
     fips_configure
 
@@ -60,13 +60,17 @@ main() {
     # shellcheck disable=SC2153 disable=SC2034
     local -r mdmimage="${RPIMAGE%%/*}/${MDMIMAGE#*/}"
     local -r rpimage="$RPIMAGE"
+    local -r miseimage="${RPIMAGE%%/*}/${MISEIMAGE#*/}"
+    local -r otelimage="$OTELIMAGE"
     # shellcheck disable=SC2034
     local -r fluentbit_image="$FLUENTBITIMAGE"
     # shellcheck disable=SC2034
     local -rA aro_images=(
         ["mdm"]="mdmimage"
         ["rp"]="rpimage"
         ["fluentbit"]="fluentbit_image"
+        ["mise"]="miseimage"
+        ["otel"]="otelimage"
     )
 
     pull_container_images aro_images
@@ -150,6 +154,7 @@ KEYVAULT_PREFIX='$KEYVAULTPREFIX'
 MDM_ACCOUNT='$RPMDMACCOUNT'
 MDM_NAMESPACE='${role_rp^^}'
 MDSD_ENVIRONMENT='$MDSDENVIRONMENT'
+MISE_ADDRESS='http://aro-mise:5000'
 RP_FEATURES='$RPFEATURES'
 RPIMAGE='$rpimage'
 ARO_INSTALL_VIA_HIVE='$CLUSTERSINSTALLVIAHIVE'
@@ -174,7 +179,9 @@ OIDC_STORAGE_ACCOUNT_NAME='$OIDCSTORAGEACCOUNTNAME'
 
     # shellcheck disable=SC2034
     local -ra aro_services=(
+        "aro-mise"
         "aro-monitor"
+        "aro-otel-collector"
         "aro-portal"
         "aro-rp"
         "azsecd"