Merge pull request #211 from adamrushuk/develop

devops-lab-v2.0.0

.github/workflows/build.yml

@@ -61,12 +61,12 @@ env:
   TF_INPUT: "false"
   TF_PLAN: "tfplan"
   # https://github.com/hashicorp/terraform/releases
-  TF_VERSION: "1.0.3"
+  TF_VERSION: "1.0.10"
   TF_WORKING_DIR: ./terraform
   # https://github.com/terraform-linters/tflint-ruleset-azurerm/releases
-  TFLINT_RULESET_AZURERM_VERSION: "v0.11.0"
+  TFLINT_RULESET_AZURERM_VERSION: "v0.13.2"
   # https://github.com/terraform-linters/tflint/releases
-  TFLINT_VERSION: "v0.30.0"
+  TFLINT_VERSION: "v0.33.0"
 
   # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:
   # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489

.github/workflows/destroy.yml

@@ -55,7 +55,7 @@ env:
   TF_LOG_PATH: terraform.log
   TF_LOG: TRACE
   # https://github.com/hashicorp/terraform/releases
-  TF_VERSION: "1.0.3"
+  TF_VERSION: "1.0.8"
   TF_WORKING_DIR: terraform
 
   # Env var concatenation is currently not supported at Workflow or Job scope. See workaround below:

.github/workflows/test.yml

@@ -1,5 +1,5 @@
 # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions
-name: Webhook
+name: Test-Workflow
 
 # name of GitHub event that triggers workflow
 # https://help.github.com/en/actions/reference/events-that-trigger-workflows#external-events-repository_dispatch
@@ -28,8 +28,8 @@ on:
 env:
   MY_WORKFLOW_VAR: work
 
-  # UNSUPPORTED: Cannot concatenante at Workflow level
-  # MY_WORKFLOW_VAR2: ${{ env.MY_WORKFLOW_VAR }}-workvalue01
+  # TODO Currently Unsupported: Cannot concatenante at Workflow level
+  MY_CONCATENATED_WORKFLOW_VAR: "$MY_WORKFLOW_VAR-workflowvalue02"
 
 jobs:
   build:
@@ -41,8 +41,8 @@ jobs:
     env:
       MY_JOB_VAR: job
 
-      # UNSUPPORTED: Cannot concatenante at Job level
-      # MY_WORK_JOB_VAR: ${{ env.MY_WORKFLOW_VAR }}
+      # TODO Currently Unsupported: Cannot concatenante at Job level
+      # MY_WORK_JOB_VAR: "${{ env.MY_WORKFLOW_VAR }}-test"
 
     steps:
     # Checkout
@@ -58,15 +58,15 @@ jobs:
     # https://github.community/t5/GitHub-Actions/How-can-we-concatenate-multiple-env-vars-at-workflow-and-job/td-p/48489
     - name: BASH - Concatenate env vars (Workaround)
       run: |
-        echo "MY_CONCATENATED_BASH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-bash-stepvalue01 >> $GITHUB_ENV
+        echo "MY_CONCATENATED_BASH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-bash-stepvalue01" >> $GITHUB_ENV
 
     - name: PWSH - Concatenate env vars (Workaround)
       # override the default bash shell, as running on ubuntu
       # https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#using-a-specific-shell
       shell: pwsh
       # pwsh requires double quotes when setting env vars
       run: |
-        echo ""MY_CONCATENATED_PWSH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-pwsh-stepvalue01" >> $GITHUB_ENV
+        echo "MY_CONCATENATED_PWSH_VAR=${{ env.MY_WORKFLOW_VAR }}-${{ env.MY_JOB_VAR }}-pwsh-stepvalue01" | Out-File -Append -Encoding utf8 -FilePath "$env:GITHUB_ENV"
 
     - name: Output event data
       shell: pwsh
@@ -77,6 +77,7 @@ jobs:
         Write-Output "MY_WORKFLOW_VAR is: [$env:MY_WORKFLOW_VAR]"
         Write-Output "MY_JOB_VAR is: [$env:MY_JOB_VAR]"
         Write-Output "MY_STEP_VAR is: [$env:MY_STEP_VAR]"
+        Write-Output "MY_CONCATENATED_WORKFLOW_VAR is: [$env:MY_CONCATENATED_WORKFLOW_VAR]"
         Write-Output "MY_CONCATENATED_BASH_VAR is: [$env:MY_CONCATENATED_BASH_VAR]"
         Write-Output "MY_CONCATENATED_PWSH_VAR is: [$env:MY_CONCATENATED_PWSH_VAR]"
         Write-Output "SLACK_JSON is: [$env:SLACK_JSON]"

terraform/aks.tf

@@ -54,7 +54,7 @@ resource "azurerm_log_analytics_solution" "aks" {
 # https://registry.terraform.io/modules/adamrushuk/aks/azurerm/latest
 module "aks" {
   source  = "adamrushuk/aks/azurerm"
-  version = "~> 0.9.0"
+  version = "~> 0.11.0"
 
   kubernetes_version   = var.kubernetes_version
   location             = azurerm_resource_group.aks.location

terraform/argocd_sso.tf

@@ -2,21 +2,22 @@
 #
 # https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc
 
-resource "random_password" "argocd" {
-  length  = 32
-  special = false
-  keepers = {
-    service_principal = azuread_application.argocd.id
-  }
+# https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/application_published_app_ids
+data "azuread_application_published_app_ids" "well_known" {}
+
+resource "azuread_service_principal" "msgraph" {
+  application_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
+  use_existing   = true
 }
 
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application
 resource "azuread_application" "argocd" {
   display_name            = var.argocd_app_reg_name
-  identifier_uris         = ["https://${var.argocd_app_reg_name}"]
+  identifier_uris         = ["https://${var.argocd_fqdn}"]
   sign_in_audience        = "AzureADMyOrg"
-  group_membership_claims = "All"
+  group_membership_claims = ["All"]
   prevent_duplicate_names = true
+  logo_image              = filebase64("${path.module}/files/argocd-logo.png")
 
   web {
     homepage_url  = "https://${var.argocd_fqdn}"
@@ -31,13 +32,20 @@ resource "azuread_application" "argocd" {
   # reference: https://github.com/mjisaak/azure-active-directory/blob/master/README.md#well-known-appids
   required_resource_access {
     # Microsoft Graph
-    resource_app_id = "00000003-0000-0000-c000-000000000000"
+    resource_app_id = data.azuread_application_published_app_ids.well_known.result.MicrosoftGraph
 
-    # User.Read - e1fe6dd8-ba31-4d61-89e7-88639da4683d - Sign in and read user profile
+    # Oauth2Permissions are delegated permissions, type=Scope
     resource_access {
-      id   = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
+      id   = azuread_service_principal.msgraph.oauth2_permission_scope_ids["User.Read"]
       type = "Scope"
     }
+
+    # ? keeping for future reference
+    # # application permissions, type=Role
+    # resource_access {
+    #   id   = azuread_service_principal.msgraph.app_role_ids["User.Read.All"]
+    #   type = "Role"
+    # }
   }
 
   optional_claims {
@@ -57,24 +65,26 @@ resource "azuread_application" "argocd" {
   }
 }
 
-# TODO: add "SelfServiceAppAccess" tag to enable self-service options in Enterprise App
+data "azuread_client_config" "current" {}
+
 resource "azuread_service_principal" "argocd" {
-  application_id = azuread_application.argocd.application_id
+  application_id                = azuread_application.argocd.application_id
+  owners                        = [data.azuread_client_config.current.object_id]
+  description                   = "Argo CD Service Principle"
+  notes                         = "Operational notes can go here"
+  preferred_single_sign_on_mode = "oidc"
+  # tags                          = ["notApiConsumer", "webApp"]
 }
 
 # https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_password
 resource "azuread_application_password" "argocd" {
   application_object_id = azuread_application.argocd.id
   display_name          = "argocd_secret"
-  value                 = random_password.argocd.result
   end_date              = "2099-01-01T01:02:03Z"
-
-  depends_on = [azuread_service_principal.argocd]
 }
 
 data "azurerm_client_config" "current" {}
 
-
 # argocd-cm patch
 # https://www.terraform.io/docs/provisioners/local-exec.html
 resource "null_resource" "argocd_cm" {
@@ -115,7 +125,7 @@ resource "null_resource" "argocd_cm" {
 resource "null_resource" "argocd_secret" {
   triggers = {
     yaml_contents = filemd5(var.argocd_secret_yaml_path)
-    clientSecret  = random_password.argocd.result
+    clientSecret  = azuread_application_password.argocd.value
   }
 
   provisioner "local-exec" {
@@ -125,7 +135,7 @@ resource "null_resource" "argocd_secret" {
       ARGOCD_SECRET_PATCH_YAML = templatefile(
         var.argocd_secret_yaml_path,
         {
-          "clientSecretBase64" = base64encode(random_password.argocd.result)
+          "clientSecretBase64" = base64encode(azuread_application_password.argocd.value)
         }
       )
     }

terraform/files/argocd-values.yaml

@@ -1,5 +1,3 @@
-installCRDs: false
-
 server:
   # this is required to disable SSL redirection, as ingress handles this
   extraArgs:

terraform/files/scripts/argocd_config.sh

@@ -6,28 +6,30 @@
 set -euo pipefail
 trap "echo 'error: Script failed: see failed command above'" ERR
 
+# Manual Testing
+# ARGOCD_FQDN="argocd.thehypepipe.co.uk"
+# ARGOCD_PATH="argocd"
+# ARGOCD_ADMIN_PASSWORD="[SEE VAULT]"
+
 # Vars
 ARGOCD_PATH="./argocd"
 REPO_SSH_PRIVATE_KEY_PATH="./id_ed25519_argocd"
 export ARGOCD_OPTS="--grpc-web"
 ARGOCD_HEALTH_CHECK_URL="https://$ARGOCD_FQDN/healthz"
 
 # Install
-VERSION="v2.0.5"
+# https://github.com/argoproj/argo-cd/releases/
+VERSION="v2.1.6"
 curl -sSL -o "$ARGOCD_PATH" "https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64"
 chmod +x "$ARGOCD_PATH"
 
 # Wait for URL to be responsive
 echo "Checking ArgoCD is ready on [$ARGOCD_HEALTH_CHECK_URL]..."
-while [[ "$(curl -s -o /dev/null -w ''%{http_code}''  $ARGOCD_HEALTH_CHECK_URL)" != "200" ]]; do
+while [[ "$(curl --silent --output /dev/null --write-out ''%{http_code}'' --url "$ARGOCD_HEALTH_CHECK_URL")" != "200" ]]; do
     echo "Still waiting for ArgoCD to be ready on [$ARGOCD_HEALTH_CHECK_URL]..."
     sleep 10
 done
 
-# Show version
-echo "Showing Argo CD version info for [$ARGOCD_FQDN]..."
-"$ARGOCD_PATH" version --server "$ARGOCD_FQDN"
-
 # Get default admin password
 # Argo CD v1.9 and later: https://argoproj.github.io/argo-cd/getting_started/#4-login-using-the-cli
 # check secret called "argocd-initial-admin-secret"
@@ -46,6 +48,10 @@ else
     "$ARGOCD_PATH" login "$ARGOCD_FQDN" --username admin --password "$ARGOCD_ADMIN_PASSWORD"
 fi
 
+# Show version
+echo "Showing Argo CD version info for [$ARGOCD_FQDN]..."
+"$ARGOCD_PATH" version "$ARGOCD_FQDN"
+
 # Show info
 echo "Showing Argo CD cluster info..."
 "$ARGOCD_PATH" account list

terraform/helm/aad_pod_identity_default_values.yaml

@@ -1,4 +1,4 @@
-# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.0/charts/aad-pod-identity/values.yaml
+# source: https://github.com/Azure/aad-pod-identity/blob/v1.8.3/charts/aad-pod-identity/values.yaml
 
 # Default values for aad-pod-identity-helm.
 # This is a YAML-formatted file.
@@ -45,7 +45,7 @@ operationMode: "standard"
 
 mic:
   image: mic
-  tag: v1.8.0
+  tag: v1.8.3
 
   # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
   priorityClassName: ""
@@ -77,17 +77,18 @@ mic:
     # - key: "CriticalAddonsOnly"
     #   operator: "Exists"
 
-  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
-  affinity: {}
-    # nodeAffinity:
-    #   preferredDuringSchedulingIgnoredDuringExecution:
-    #     - weight 1
-    #       preference:
-    #         matchExpressions:
-    #           - key: kubernetes.azure.com/mode
-    #             operator: In
-    #             values:
-    #               - system
+  # Affinity rules to apply to the mic deployment.
+  # Uses an anti-affinity rule to prefer not to co-locate pods on the same node as default.
+  # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          topologyKey: kubernetes.io/hostname
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/component: mic
 
   # Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
   # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
@@ -158,7 +159,7 @@ mic:
 
 nmi:
   image: nmi
-  tag: v1.8.0
+  tag: v1.8.3
 
   # ref: https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/#marking-pod-as-critical
   priorityClassName: ""
@@ -175,6 +176,11 @@ nmi:
       cpu: 100m
       memory: 256Mi
 
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+
   podAnnotations: {}
 
   podLabels: {}
@@ -219,8 +225,8 @@ nmi:
   findIdentityRetryIntervalInSeconds: ""
 
   # Enable scale features - https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.featureflags.md#enable-scale-features-flag
-  # Accepted values are true/false. Default is false.
-  enableScaleFeatures: ""
+  # Accepted values are true/false. Default is true for v1.8.1+.
+  enableScaleFeatures: true
 
   # default value is 9090
   # prometheus port for metrics
@@ -242,6 +248,9 @@ nmi:
   # default is /etc/default/kubelet
   kubeletConfig: "/etc/default/kubelet"
 
+  # Set retry-after header in the NMI responses when the identity is still being assigned.
+  setRetryAfterHeader: false
+
 rbac:
   enabled: true
   # NMI requires permissions to get secrets when service principal (type: 1) is used in AzureIdentity.