Merge pull request #4 from kaizentm/eedorenko/azure-npm

Eedorenko/azure npm

.pipelines/deploy-secure-aks-baseline.yaml

@@ -206,8 +206,7 @@ stages:
           scriptType: bash
           inlineScript: |
             cp -rs $(Build.SourcesDirectory)/* /tf/caf && cp -r $(Build.SourcesDirectory)/.devcontainer /tf/caf/            
-            cd /tf/caf/enterprise_scale/construction_sets/aks
-            env
+            cd /tf/caf/enterprise_scale/construction_sets/aks            
             ./scripts/deploy_level_with_rover.sh 4_flux level4
             echo $(terraform output -json | jq -r .aks_clusters_kubeconfig.value.cluster_re1.aks_kubeconfig_admin_cmd) | bash
         env:

enterprise_scale/construction_sets/aks/flux.tf

@@ -11,14 +11,9 @@ provider "kubernetes" {
  host                   = try(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].host, null)
  client_key             = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_key), null)
  client_certificate     = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].client_certificate), null)
- cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null)  
+ cluster_ca_certificate = try(base64decode(module.caf.aks_clusters.cluster_re1.kube_admin_config[0].cluster_ca_certificate), null)    
 }
 
-provider "github"  {
-  alias = "flux"
-  owner = var.github_owner
-  token = var.github_token
-}
 
 data "flux_install" "main" {
   target_path = var.target_install_path
@@ -94,40 +89,3 @@ resource "kubectl_manifest" "sync" {
   yaml_body  = each.value
 }
 
-resource "github_branch_default" "main" {
-  count = var.repository_name == "" ? 0 : 1    
-  provider = github.flux
-  repository = var.repository_name
-  branch     = var.branch
-}
-
-
-resource "github_repository_file" "install" {
-  count = var.repository_name == "" ? 0 : 1    
-  provider = github.flux
-  repository = var.repository_name
-  file       = data.flux_install.main.path
-  content    = data.flux_install.main.content
-  branch     = var.branch
-  overwrite_on_create = true
-}
-
-resource "github_repository_file" "sync" {
-  count = var.repository_name == "" ? 0 : 1    
-  provider = github.flux
-  repository = var.repository_name
-  file       = data.flux_sync.main.path
-  content    = data.flux_sync.main.content
-  branch     = var.branch
-  overwrite_on_create = true
-}
-
-resource "github_repository_file" "kustomize" {
-  count = var.repository_name == "" ? 0 : 1    
-  provider = github.flux
-  repository = var.repository_name
-  file       = data.flux_sync.main.kustomize_path
-  content    = data.flux_sync.main.kustomize_content
-  branch     = var.branch
-  overwrite_on_create = true
-}

enterprise_scale/construction_sets/aks/online/aks_secure_baseline/02-aks.md

@@ -2,7 +2,7 @@
 
 ## Deploy cluster baseline settings via Flux
 
-If you use an [IaC pipeline](./.github/workflows/deploy-secure-aks-baseline.yaml) then Flux V2 and [infrastructure configurations](./cluster-baseline-settings) will be installed automatically by the last stage of the pipeline. In this case you can skip the instructions below and go to [Deploy sample workload](#deploy-sample-workload).
+Flux V2 and [infrastructure configurations](./cluster-baseline-settings) are installed automatically by the Terraform module. 
 
 If you are following the manual approach, then perform the instructions below:  
 
@@ -19,23 +19,7 @@ Make sure the current folder is "*enterprise_scale/construction_sets/aks*"
   # Make sure logged in
   kubectl get pods -A
   ```
-
-Bootstrap a cluster with Flux v2:
-  ```bash
-  export GITHUB_TOKEN=<your-token>
-  export GITHUB_USER=<your-username>
-
-    flux bootstrap github \
-    --owner=$GITHUB_USER \
-    --repository=caf-terraform-landingzones-starter \
-    --branch=starter \
-    --path=./enterprise_scale/construction_sets/aks/online/aks_secure_baseline/flux \
-    --public
-
-  # Watch Flux deployment, Ctrl-C to quit
-  kubectl get pod -n flux-system -w
-
-  ```  
+```  
 
 Please review the Baseline components that are deployed at [cluster-baseline-settings](./cluster-baseline-settings):
 
@@ -45,13 +29,11 @@ Please review the Baseline components that are deployed at [cluster-baseline-set
 - Kured
 
   ```bash
-  # Deploy Baseline components via Flux v2 Kustomization
-  kubectl apply -f online/aks_secure_baseline/flux/cluster-baseline-settings.yaml
   # Watch configurations deployment, Ctrl-C to quit
   kubectl get pod -n cluster-baseline-settings -w
   ```
 
-Flux will pull yamls from [cluster-baseline-settings](./cluster-baseline-settings) and apply them to the cluster.
+Flux pulls yamls from [cluster-baseline-settings](./cluster-baseline-settings) and applies them to the cluster.
 If there is a need to change the folder to your own, please modify [cluster-baseline-settings.yaml](flux/cluster-baseline-settings.yaml) 
 
 ## Deploy sample workload

enterprise_scale/construction_sets/aks/online/aks_secure_baseline/configuration/aks.tfvars

@@ -17,14 +17,17 @@ aks_clusters = {
       type = "SystemAssigned"
     }
 
-    kubernetes_version = "1.19.9"
+    kubernetes_version = "1.20.5"
     vnet_key           = "vnet_aks_re1"
 
+    # network plugin and network policy should be "azure" (recommended by Secure AKS baseline)
     network_profile = {
       network_plugin    = "azure"
-      load_balancer_sku = "Standard"
+      load_balancer_sku = "Standard"      
+      network_policy = "azure"       
     }
 
+
     role_based_access_control = {
       enabled = true
       azure_active_directory = {
@@ -67,7 +70,7 @@ aks_clusters = {
       node_count            = 3
       os_disk_type          = "Ephemeral"
       os_disk_size_gb       = 80
-      orchestrator_version  = "1.19.9"
+      orchestrator_version  = "1.20.5"
       tags = {
         "project" = "system services"
       }
@@ -86,7 +89,7 @@ aks_clusters = {
         os_disk_type          = "Ephemeral"
         enable_auto_scaling  = false
         os_disk_size_gb      = 120
-        orchestrator_version = "1.19.9"
+        orchestrator_version = "1.20.5"
         tags = {
           "project" = "user services"
         }

enterprise_scale/construction_sets/aks/online/aks_secure_baseline/flux/flux-system/gotk-components.yaml

@@ -2739,18 +2739,18 @@ metadata:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
     app.kubernetes.io/version: v0.12.0
-  name: allow-scraping
+  name: deny-ingress
   namespace: flux-system
 spec:
+  egress:
+  - {}
   ingress:
   - from:
-    - namespaceSelector: {}
-    ports:
-    - port: 8080
-      protocol: TCP
+    - podSelector: {}
   podSelector: {}
   policyTypes:
   - Ingress
+  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -2778,15 +2778,17 @@ metadata:
     app.kubernetes.io/instance: flux-system
     app.kubernetes.io/part-of: flux
     app.kubernetes.io/version: v0.12.0
-  name: deny-ingress
+  name: allow-scraping
   namespace: flux-system
 spec:
-  egress:
-  - {}
   ingress:
   - from:
-    - podSelector: {}
+    - namespaceSelector: {}
+    ports:
+    - port: 8080
+      protocol: TCP
   podSelector: {}
   policyTypes:
   - Ingress
-  - Egress
+
+

enterprise_scale/construction_sets/aks/test/level3_aks/ExpectedValues.yml

@@ -8,4 +8,4 @@ AzurePolicyEnabled: true
 NetworkPlugin: "azure"
 ManagedOutboundIpCount: 1
 RBACEnabled: true
-
+NetworkPolicy: "NetworkPolicyAzure"

enterprise_scale/construction_sets/aks/test/level3_aks/level3_aks_test.go

@@ -21,6 +21,7 @@ type ExpectedValues struct {
 	NetworkPlugin          string
 	ManagedOutboundIpCount int
 	RBACEnabled            bool
+	NetworkPolicy          string
 }
 
 func TestAksAgentPoolProfile(t *testing.T) {
@@ -60,8 +61,11 @@ func TestAksLoadBalancerProfile(t *testing.T) {
 
 	cluster := getCluster(t, expectedValues.ResourceGroupName, expectedValues.ClusterName)
 
-	// Test Network type (plugin) is Azure
+	// Test Network type (plugin)
 	assert.Equal(t, expectedValues.NetworkPlugin, string(cluster.NetworkProfile.NetworkPlugin))
+
+	// Test Network policy
+	assert.Equal(t, expectedValues.NetworkPolicy, string(cluster.NetworkProfile.NetworkPolicy))
 }
 
 func TestAksNetworkProfile(t *testing.T) {