From c1d07bce1aca16ff66613b7572260b7a2257b02e Mon Sep 17 00:00:00 2001 From: Automatic Update Date: Thu, 5 Sep 2024 10:19:19 +0200 Subject: [PATCH] Keyvault cleanup - Change variables --- scripts/aks/bootstrap.sh | 8 ++--- scripts/aks/clusterlist.sh | 4 +-- scripts/aks/teardown.sh | 4 +-- scripts/aks/update_api_server_whitelist.sh | 2 +- .../scaling/create-managed-identity.sh | 2 +- scripts/config-and-secrets/bootstrap-acr.sh | 4 +-- scripts/dockerhub/update_docker_auth.sh | 6 ++-- scripts/flux/bootstrap.sh | 12 +++---- scripts/github_maintenance/bootstrap.sh | 2 +- scripts/migrate.sh | 2 +- scripts/radix-zone/radix_zone_c2.env | 7 ++-- scripts/radix-zone/radix_zone_dev.env | 7 ++-- scripts/radix-zone/radix_zone_playground.env | 7 ++-- scripts/radix-zone/radix_zone_prod.env | 7 ++-- .../bootstrap.sh | 2 +- .../lib_managed_identity.sh | 36 +++++++++---------- .../lib_service_principal.sh | 8 ++--- .../refresh_aad_app_credentials.sh | 2 +- .../refresh_web_console_app_credentials.sh | 6 ++-- ...pdate_secret_for_radix_servicenow_proxy.sh | 4 +-- .../scripts/keyvaultsecret.env.template | 9 +++-- .../scripts/template_move_secrets.ps1 | 19 +++++----- 22 files changed, 78 insertions(+), 82 deletions(-) diff --git a/scripts/aks/bootstrap.sh b/scripts/aks/bootstrap.sh index c9d5a0c74..79e88df14 100755 --- a/scripts/aks/bootstrap.sh +++ b/scripts/aks/bootstrap.sh @@ -443,7 +443,7 @@ echo "Bootstrap advanced network for aks instance \"${CLUSTER_NAME}\"... " SECRET_NAME="radix-clusters" update_keyvault="true" K8S_CLUSTER_LIST=$(az keyvault secret show \ - --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \ --query="value" \ --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null) temp_file_path="/tmp/$(uuidgen)" @@ -455,7 +455,7 @@ if [[ ${update_keyvault} == true ]]; then EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME") #printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}" - if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then + if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2 exit 1 fi @@ -465,7 +465,7 @@ fi #Lets run it again interactivly K8S_CLUSTER_LIST=$(az keyvault secret show \ - --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \ --query="value" \ --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null) temp_file_path="/tmp/$(uuidgen)" @@ -477,7 +477,7 @@ if [[ ${update_keyvault} == true ]]; then EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME") printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}" - if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then + if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2 exit 1 fi diff --git a/scripts/aks/clusterlist.sh b/scripts/aks/clusterlist.sh index 72eab6f59..7ea908924 100755 --- a/scripts/aks/clusterlist.sh +++ b/scripts/aks/clusterlist.sh @@ -92,7 +92,7 @@ source ${RADIX_PLATFORM_REPOSITORY_PATH}/scripts/utility/lib_clusterlist.sh ### K8S_CLUSTER_LIST=$(az keyvault secret show \ - --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \ --query="value" \ --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null) temp_file_path="/tmp/$(uuidgen)" @@ -104,7 +104,7 @@ if [[ ${update_keyvault} == true ]]; then EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME") printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}" - if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then + if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2 exit 1 fi diff --git a/scripts/aks/teardown.sh b/scripts/aks/teardown.sh index c485baaed..65760ddd0 100755 --- a/scripts/aks/teardown.sh +++ b/scripts/aks/teardown.sh @@ -410,7 +410,7 @@ echo "Done." SECRET_NAME="radix-clusters" update_keyvault="true" K8S_CLUSTER_LIST=$(az keyvault secret show \ - --vault-name "${AZ_COMMON_KEYVAULT}" --name "${SECRET_NAME}" \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${SECRET_NAME}" \ --query="value" \ --output tsv | jq '{clusters:.clusters | sort_by(.name | ascii_downcase)}' 2>/dev/null) temp_file_path="/tmp/$(uuidgen)" @@ -422,7 +422,7 @@ if [[ ${update_keyvault} == true ]]; then EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME") #printf "\nUpdating keyvault \"%s\"... " "${AZ_RESOURCE_KEYVAULT}" - if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_COMMON_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then + if [[ "$(az keyvault secret set --name "${SECRET_NAME}" --vault-name "${AZ_RESOURCE_KEYVAULT}" --value "${new_master_k8s_api_ip_whitelist}" --expires "$EXPIRY_DATE" 2>&1)" == *"ERROR"* ]]; then printf "\nERROR: Could not update secret in keyvault \"%s\". Exiting..." "${AZ_RESOURCE_KEYVAULT}" >&2 exit 1 fi diff --git a/scripts/aks/update_api_server_whitelist.sh b/scripts/aks/update_api_server_whitelist.sh index 736484e26..67b4a1247 100755 --- a/scripts/aks/update_api_server_whitelist.sh +++ b/scripts/aks/update_api_server_whitelist.sh @@ -81,7 +81,7 @@ fi # Define script variables -SECRET_NAME="kubernetes-api-server-whitelist-ips-${RADIX_ENVIRONMENT}" +SECRET_NAME="kubernetes-api-auth-ip-range" update_keyvault=false ####################################################################################### diff --git a/scripts/cicd-canary/scaling/create-managed-identity.sh b/scripts/cicd-canary/scaling/create-managed-identity.sh index 6e339f3b1..eb9254770 100755 --- a/scripts/cicd-canary/scaling/create-managed-identity.sh +++ b/scripts/cicd-canary/scaling/create-managed-identity.sh @@ -176,7 +176,7 @@ rm ${tmp_file_name} # TODO: DevOps issue 259748, downgrade Contributor role when new role is ready # https://github.com/equinor/Solum/issues/10900 create_role_assignment_for_identity "${mi_name}" "${AKS_COMMAND_RUNNER_ROLE_NAME}" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}" -set-kv-policy "${mi_object_id}" "get" +# set-kv-policy "${mi_object_id}" "get" create-role-and-rolebinding "${WORKDIR_PATH}/role.yaml" "${WORKDIR_PATH}/rolebinding.yaml" modify-role-binding ${mi_object_id} add-federated-gh-credentials ${mi_name} "radix-platform" "master" diff --git a/scripts/config-and-secrets/bootstrap-acr.sh b/scripts/config-and-secrets/bootstrap-acr.sh index 1ed4048f6..4fa965fd1 100755 --- a/scripts/config-and-secrets/bootstrap-acr.sh +++ b/scripts/config-and-secrets/bootstrap-acr.sh @@ -109,7 +109,7 @@ verify_cluster_access printf "Installing registry sp secret in k8s cluster...\n" az keyvault secret download \ - --vault-name "$AZ_COMMON_KEYVAULT" \ + --vault-name "$AZ_RESOURCE_KEYVAULT" \ --name "radix-cr-cicd" \ --file sp_credentials.json @@ -141,7 +141,7 @@ printf "\nDone\n" printf "Installing app registry secret in k8s cluster...\n" az keyvault secret download \ - --vault-name "$AZ_COMMON_KEYVAULT" \ + --vault-name "$AZ_RESOURCE_KEYVAULT" \ --name "${AZ_SYSTEM_USER_APP_REGISTRY_SECRET_KEY}" \ --file acr_password.json diff --git a/scripts/dockerhub/update_docker_auth.sh b/scripts/dockerhub/update_docker_auth.sh index 7b608910e..baf063c87 100755 --- a/scripts/dockerhub/update_docker_auth.sh +++ b/scripts/dockerhub/update_docker_auth.sh @@ -111,7 +111,7 @@ echo -e "Update Docker auth in keyvault:" echo -e "" echo -e " > WHERE:" echo -e " ------------------------------------------------------------------" -echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_COMMON_KEYVAULT" +echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_RESOURCE_KEYVAULT" echo -e "" echo -e " > WHAT:" echo -e " ------------------------------------------------------------------" @@ -147,13 +147,13 @@ printf "Updating Docker auth in keyvault... " EXPIRY_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ" --date="$KV_EXPIRATION_TIME") # The secrets have no real expiration date az keyvault secret set \ - --vault-name "${AZ_COMMON_KEYVAULT}" \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" \ --name docker-io-auth-username \ --value "${USER_NAME}" \ --expires "${EXPIRY_DATE}" --output none || exit az keyvault secret set \ - --vault-name "${AZ_COMMON_KEYVAULT}" \ + --vault-name "${AZ_RESOURCE_KEYVAULT}" \ --name docker-io-auth-access-token \ --value "${ACCESS_TOKEN}" \ --expires "${EXPIRY_DATE}" --output none || exit diff --git a/scripts/flux/bootstrap.sh b/scripts/flux/bootstrap.sh index 805f60135..294be881f 100755 --- a/scripts/flux/bootstrap.sh +++ b/scripts/flux/bootstrap.sh @@ -171,7 +171,7 @@ echo -e " - CLUSTER_NAME : $CLUSTER_NAME" echo -e "" echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" -echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_COMMON_KEYVAULT" +echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_RESOURCE_KEYVAULT" echo -e " - GIT_REPO : $GIT_REPO" echo -e " - GIT_BRANCH : $GIT_BRANCH" echo -e " - GIT_DIR : $GIT_DIR" @@ -231,8 +231,8 @@ printf "...Done" ### CREDENTIALS ### -FLUX_PRIVATE_KEY="$(az keyvault secret show --name "$FLUX_PRIVATE_KEY_NAME" --vault-name "$AZ_COMMON_KEYVAULT")" -# FLUX_PUBLIC_KEY="$(az keyvault secret show --name "$FLUX_PUBLIC_KEY_NAME" --vault-name "$AZ_COMMON_KEYVAULT")" +FLUX_PRIVATE_KEY="$(az keyvault secret show --name "$FLUX_PRIVATE_KEY_NAME" --vault-name "$AZ_RESOURCE_KEYVAULT")" +# FLUX_PUBLIC_KEY="$(az keyvault secret show --name "$FLUX_PUBLIC_KEY_NAME" --vault-name "$AZ_RESOURCE_KEYVAULT")" # printf "\nLooking for flux deploy keys for GitHub in keyvault \"${AZ_RESOURCE_KEYVAULT}\"..." # if [[ -z "$FLUX_PRIVATE_KEY" ]] || [[ -z "$FLUX_PUBLIC_KEY" ]]; then @@ -258,7 +258,7 @@ FLUX_PRIVATE_KEY="$(az keyvault secret show --name "$FLUX_PRIVATE_KEY_NAME" --va # fi az keyvault secret download \ - --vault-name "$AZ_COMMON_KEYVAULT" \ + --vault-name "$AZ_RESOURCE_KEYVAULT" \ --name "$FLUX_PRIVATE_KEY_NAME" \ --file "$FLUX_PRIVATE_KEY_NAME" \ 2>&1 >/dev/null @@ -268,7 +268,7 @@ printf "...Done\n" # Create secret for Flux v2 to use to authenticate with ACR. printf "\nCreating k8s secret \"radix-docker\"..." az keyvault secret download \ - --vault-name "$AZ_COMMON_KEYVAULT" \ + --vault-name "$AZ_RESOURCE_KEYVAULT" \ --name "radix-cr-cicd" \ --file sp_credentials.json \ 2>&1 >/dev/null @@ -309,7 +309,7 @@ else fi printf "\nGetting Slack Webhook URL..." -SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name $AZ_RESOURCE_KEYVAULT --name $KV_SECRET_SLACK_WEBHOOK | jq -r .value)" +SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name $AZ_RESOURCE_KEYVAULT --name slack-webhook | jq -r .value)" printf "...Done\n" IMAGE_REGISTRY="${AZ_RESOURCE_CONTAINER_REGISTRY}.azurecr.io" diff --git a/scripts/github_maintenance/bootstrap.sh b/scripts/github_maintenance/bootstrap.sh index 28faed89f..ddb9868e7 100755 --- a/scripts/github_maintenance/bootstrap.sh +++ b/scripts/github_maintenance/bootstrap.sh @@ -118,7 +118,7 @@ object_id=$(az identity show --name "${MI_GITHUB_MAINTENANCE}-${RADIX_ENVIRONMEN exit 1 } -set-kv-policy "${object_id}" "get set" +# set-kv-policy "${object_id}" "get set" namespaces=("default" "ingress-nginx" "radix-web-console-qa" "radix-cicd-canary" "flux-system" "radix-api-qa" "radix-canary-golang-qa" "radix-cost-allocation-api-qa" "radix-platform-qa" "radix-github-webhook-qa" "monitor") diff --git a/scripts/migrate.sh b/scripts/migrate.sh index 029e2353c..f66608bed 100755 --- a/scripts/migrate.sh +++ b/scripts/migrate.sh @@ -669,7 +669,7 @@ if [[ $ENABLE_NOTIFY == true ]]; then # Notify on slack echo "Notify on slack" # Get slack webhook url - SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name "$AZ_RESOURCE_KEYVAULT" --name "$KV_SECRET_SLACK_WEBHOOK" | jq -r .value)" + SLACK_WEBHOOK_URL="$(az keyvault secret show --vault-name "$AZ_RESOURCE_KEYVAULT" --name slack-webhook | jq -r .value)" curl -X POST -H 'Content-type: application/json' --data '{"text":"'"$slack_users"' Restore has been completed.","link_names":1}' "$SLACK_WEBHOOK_URL" fi diff --git a/scripts/radix-zone/radix_zone_c2.env b/scripts/radix-zone/radix_zone_c2.env index 26ddfa533..9b1510233 100644 --- a/scripts/radix-zone/radix_zone_c2.env +++ b/scripts/radix-zone/radix_zone_c2.env @@ -63,8 +63,7 @@ AZ_RESOURCE_GROUP_IPPRE="common-${AZ_RADIX_ZONE_LOCATION}" AZ_REDIS_CACHE_SKU="Standard" # Shared resources -AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" -AZ_COMMON_KEYVAULT="radix-keyv-${RADIX_ZONE}" +AZ_RESOURCE_KEYVAULT="radix-keyv-${RADIX_ZONE}" AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}" AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal" @@ -117,7 +116,7 @@ MI_AKSKUBELET="radix-id-akskubelet-${RADIX_ZONE}" ### Key vault secrets ### -KV_SECRET_SLACK_WEBHOOK="slack-webhook-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" +# KV_SECRET_SLACK_WEBHOOK="slack-webhook" KV_EXPIRATION_TIME="12 months" @@ -196,7 +195,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml" KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client" APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server" -KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" +# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" SERVICE_MANAGEMENT_REFERENCE="110327" ####################################################################################### diff --git a/scripts/radix-zone/radix_zone_dev.env b/scripts/radix-zone/radix_zone_dev.env index f5a50780d..6bef81486 100644 --- a/scripts/radix-zone/radix_zone_dev.env +++ b/scripts/radix-zone/radix_zone_dev.env @@ -65,8 +65,7 @@ AZ_RESOURCE_GROUP_IPPRE="common" AZ_REDIS_CACHE_SKU="Basic" # Shared resources -AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ENVIRONMENT}" -AZ_COMMON_KEYVAULT="radix-keyv-${RADIX_ZONE}" +AZ_RESOURCE_KEYVAULT="radix-keyv-${RADIX_ZONE}" AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}" AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal" @@ -120,7 +119,7 @@ MI_GITHUB_MAINTENANCE="radix-github-maintenance" ### Key vault secrets ### -KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE" +# KV_SECRET_SLACK_WEBHOOK="slack-webhook" KV_EXPIRATION_TIME="12 months" @@ -198,7 +197,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml" KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client" APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server" -KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" +# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" SERVICE_MANAGEMENT_REFERENCE="110327" ####################################################################################### diff --git a/scripts/radix-zone/radix_zone_playground.env b/scripts/radix-zone/radix_zone_playground.env index 2ad62cfed..680c1f64a 100644 --- a/scripts/radix-zone/radix_zone_playground.env +++ b/scripts/radix-zone/radix_zone_playground.env @@ -64,8 +64,7 @@ AZ_RESOURCE_GROUP_IPPRE="common" AZ_REDIS_CACHE_SKU="Standard" # Shared resources -AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ENVIRONMENT}" -AZ_COMMON_KEYVAULT="radix-keyv-${RADIX_ZONE}" +AZ_RESOURCE_KEYVAULT="radix-keyv-${RADIX_ZONE}" AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}" AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal" @@ -118,7 +117,7 @@ MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-northeurope" ### Key vault secrets ### -KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE" +# KV_SECRET_SLACK_WEBHOOK="slack-webhook" KV_EXPIRATION_TIME="12 months" @@ -196,7 +195,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml" KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client" APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server" -KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" +# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" SERVICE_MANAGEMENT_REFERENCE="110327" ####################################################################################### diff --git a/scripts/radix-zone/radix_zone_prod.env b/scripts/radix-zone/radix_zone_prod.env index 6b483ed19..342facd5e 100644 --- a/scripts/radix-zone/radix_zone_prod.env +++ b/scripts/radix-zone/radix_zone_prod.env @@ -64,8 +64,7 @@ AZ_RESOURCE_GROUP_IPPRE="common" AZ_REDIS_CACHE_SKU="Standard" # Shared resources -AZ_RESOURCE_KEYVAULT="radix-vault-${RADIX_ENVIRONMENT}" -AZ_COMMON_KEYVAULT="radix-keyv-platform" +AZ_RESOURCE_KEYVAULT="radix-keyv-platform" AZ_RESOURCE_MON_KEYVAULT="kv-radix-monitoring-${RADIX_ENVIRONMENT}" AZ_RESOURCE_ACR_INTERNAL_TASK_NAME="radix-image-builder-internal" @@ -119,7 +118,7 @@ MI_CERT_MANAGER="id-radix-certmanager-${CLUSTER_TYPE}-northeurope" ### Key vault secrets ### -KV_SECRET_SLACK_WEBHOOK="slack-webhook-$RADIX_ZONE" +# KV_SECRET_SLACK_WEBHOOK="slack-webhook" KV_EXPIRATION_TIME="12 months" @@ -199,7 +198,7 @@ COST_ALLOCATION_API_CONFIG="radixconfig.${RADIX_ZONE}.yaml" KV_SECRET_SERVICENOW_API_KEY=servicenow-api-key APP_REGISTRATION_SERVICENOW_CLIENT="ar-radix-servicenow-proxy-client" APP_REGISTRATION_SERVICENOW_SERVER="ar-radix-servicenow-proxy-server" -KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" +# KV_SECRET_SERVICENOW_CLIENT_SECRET="ar-radix-servicenow-proxy-client-secret-${RADIX_ZONE}-${RADIX_ENVIRONMENT}" SERVICE_MANAGEMENT_REFERENCE="110327" diff --git a/scripts/service-principals-and-aad-apps/bootstrap.sh b/scripts/service-principals-and-aad-apps/bootstrap.sh index 427dcf6d2..9f28d6713 100755 --- a/scripts/service-principals-and-aad-apps/bootstrap.sh +++ b/scripts/service-principals-and-aad-apps/bootstrap.sh @@ -210,7 +210,7 @@ create_github_resource_lock_operator() { create_oidc_and_federated_credentials "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "${AZ_SUBSCRIPTION_ID}" "radix-platform" "lock-operations-${RADIX_ENVIRONMENT}" assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Omnia Authorization Locks Operator" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_CLUSTERS}" assign_role "$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR" "Reader" "/subscriptions/${AZ_SUBSCRIPTION_ID}/resourceGroups/${AZ_RESOURCE_GROUP_COMMON}/providers/Microsoft.KeyVault/vaults/${AZ_RESOURCE_KEYVAULT}" - set-kv-policy "$(az ad sp list --filter "displayname eq '$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR'" | jq -r .[].id)" "get" + # set-kv-policy "$(az ad sp list --filter "displayname eq '$APP_REGISTRATION_RESOURCE_LOCK_OPERATOR'" | jq -r .[].id)" "get" } if [[ "$RADIX_ENVIRONMENT" == "dev" ]]; then diff --git a/scripts/service-principals-and-aad-apps/lib_managed_identity.sh b/scripts/service-principals-and-aad-apps/lib_managed_identity.sh index ee98604c2..575b704bc 100755 --- a/scripts/service-principals-and-aad-apps/lib_managed_identity.sh +++ b/scripts/service-principals-and-aad-apps/lib_managed_identity.sh @@ -220,24 +220,24 @@ function create-role-and-rolebinding { printf "Done\n" } -function set-kv-policy { - local object_id - local permissions - - object_id=$1 - permissions=$2 - - printf "Creating vault access policy on %s for %s...\n" "${AZ_RESOURCE_KEYVAULT}" "${object_id}" - az keyvault set-policy \ - --name "${AZ_RESOURCE_KEYVAULT}" \ - --secret-permissions ${permissions} \ - --object-id "${object_id}" \ - --only-show-errors >/dev/null || { - echo -e "ERROR: Could not create vault access policy on ${AZ_RESOURCE_KEYVAULT}." >&2 - exit 1 - } - printf "Done\n" -} +# function set-kv-policy { +# local object_id +# local permissions + +# object_id=$1 +# permissions=$2 + +# printf "Creating vault access policy on %s for %s...\n" "${AZ_RESOURCE_KEYVAULT}" "${object_id}" +# az keyvault set-policy \ +# --name "${AZ_RESOURCE_KEYVAULT}" \ +# --secret-permissions ${permissions} \ +# --object-id "${object_id}" \ +# --only-show-errors >/dev/null || { +# echo -e "ERROR: Could not create vault access policy on ${AZ_RESOURCE_KEYVAULT}." >&2 +# exit 1 +# } +# printf "Done\n" +# } function create-az-role { local name diff --git a/scripts/service-principals-and-aad-apps/lib_service_principal.sh b/scripts/service-principals-and-aad-apps/lib_service_principal.sh index 2926b75e1..e972043c8 100755 --- a/scripts/service-principals-and-aad-apps/lib_service_principal.sh +++ b/scripts/service-principals-and-aad-apps/lib_service_principal.sh @@ -71,7 +71,7 @@ function update_service_principal_credentials_in_az_keyvault() { fi # Upload to keyvault - az keyvault secret set --vault-name "${AZ_COMMON_KEYVAULT}" --name "${name}" --file "${tmp_file_path}" ${expires} 2>&1 >/dev/null + az keyvault secret set --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${name}" --file "${tmp_file_path}" ${expires} 2>&1 >/dev/null # Clean up rm -rf "$tmp_file_path" @@ -561,7 +561,7 @@ function delete_service_principal_and_stored_credentials() { az ad sp delete --id "${id}" --output none printf "deleting credentials in keyvault..." - az keyvault secret delete --vault-name "${AZ_COMMON_KEYVAULT}" --name "${name}" --output none + az keyvault secret delete --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${name}" --output none printf "Done.\n" } @@ -572,13 +572,13 @@ function delete_ad_app_and_stored_credentials() { printf "Working on ad app \"${name}\": " # Get id from key vault as trying to use the name is just hopeless for client apps when using cli - app_id="$(az keyvault secret show --vault-name ${AZ_COMMON_KEYVAULT} --name "${name}" | jq -r .value | jq -r .id)" + app_id="$(az keyvault secret show --vault-name ${AZ_RESOURCE_KEYVAULT} --name "${name}" | jq -r .value | jq -r .id)" printf "deleting app in az ad..." az ad app delete --id "${app_id}" --output none printf "deleting credentials in keyvault..." - az keyvault secret delete --vault-name "${AZ_COMMON_KEYVAULT}" --name "${name}" --output none + az keyvault secret delete --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${name}" --output none printf "Done.\n" } diff --git a/scripts/service-principals-and-aad-apps/refresh_aad_app_credentials.sh b/scripts/service-principals-and-aad-apps/refresh_aad_app_credentials.sh index 45d7d0daa..b5b33973c 100755 --- a/scripts/service-principals-and-aad-apps/refresh_aad_app_credentials.sh +++ b/scripts/service-principals-and-aad-apps/refresh_aad_app_credentials.sh @@ -116,7 +116,7 @@ echo -e "" echo -e " > WHERE:" echo -e " ------------------------------------------------------------------" echo -e " - RADIX_ZONE : $RADIX_ZONE" -echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_COMMON_KEYVAULT" +echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_RESOURCE_KEYVAULT" echo -e "" echo -e " > WHAT:" echo -e " -------------------------------------------------------------------" diff --git a/scripts/service-principals-and-aad-apps/refresh_web_console_app_credentials.sh b/scripts/service-principals-and-aad-apps/refresh_web_console_app_credentials.sh index fdb33664b..a3a9de9f4 100755 --- a/scripts/service-principals-and-aad-apps/refresh_web_console_app_credentials.sh +++ b/scripts/service-principals-and-aad-apps/refresh_web_console_app_credentials.sh @@ -86,7 +86,7 @@ echo -e "" echo -e " > WHERE:" echo -e " ------------------------------------------------------------------" echo -e " - RADIX_ZONE : $RADIX_ZONE" -echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_COMMON_KEYVAULT" +echo -e " - AZ_RESOURCE_KEYVAULT : $AZ_RESOURCE_KEYVAULT" echo -e " - VAULT_CLIENT_SECRET_NAME : $VAULT_CLIENT_SECRET_NAME" echo -e "" echo -e " > WHAT:" @@ -123,10 +123,10 @@ password="$(az ad app credential reset --id "${OAUTH2_PROXY_CLIENT_ID}" --displa secret="$(az ad app credential list --id "${OAUTH2_PROXY_CLIENT_ID}" --query "sort_by([?displayName=='web console'], &endDateTime)[-1:].{endDateTime:endDateTime,keyId:keyId}")" expiration_date="$(echo "${secret}" | jq -r .[].endDateTime | sed 's/\..*//')" || exit -printf "Update credentials for ${WEB_CONSOLE_DISPLAY_NAME} in keyvault ${AZ_COMMON_KEYVAULT}..." +printf "Update credentials for ${WEB_CONSOLE_DISPLAY_NAME} in keyvault ${AZ_RESOURCE_KEYVAULT}..." # Upload to keyvault -az keyvault secret set --vault-name "${AZ_COMMON_KEYVAULT}" --name "${VAULT_CLIENT_SECRET_NAME}" --value "${password}" --expires "${expiration_date}" --output none || exit +az keyvault secret set --vault-name "${AZ_RESOURCE_KEYVAULT}" --name "${VAULT_CLIENT_SECRET_NAME}" --value "${password}" --expires "${expiration_date}" --output none || exit printf "Done.\n" diff --git a/scripts/update_secret_for_radix_servicenow_proxy.sh b/scripts/update_secret_for_radix_servicenow_proxy.sh index be6f239be..c91450fa9 100755 --- a/scripts/update_secret_for_radix_servicenow_proxy.sh +++ b/scripts/update_secret_for_radix_servicenow_proxy.sh @@ -122,9 +122,9 @@ function updateSecret() { echo "ERROR: Could not find secret $KV_SECRET_SERVICENOW_API_KEY in keyvault. Quitting.." >&2 return 1 fi - SERVICENOW_CLIENT_SECRET=$(az keyvault secret show -n $KV_SECRET_SERVICENOW_CLIENT_SECRET --vault-name $AZ_RESOURCE_KEYVAULT --query value -otsv) + SERVICENOW_CLIENT_SECRET=$(az keyvault secret show -n ar-radix-servicenow-proxy-client-secret --vault-name $AZ_RESOURCE_KEYVAULT --query value -otsv) if [[ -z $SERVICENOW_CLIENT_SECRET ]]; then - echo "ERROR: Could not find secret $KV_SECRET_SERVICENOW_CLIENT_SECRET in keyvault. Quitting.." >&2 + echo "ERROR: Could not find secret ar-radix-servicenow-proxy-client-secret in keyvault. Quitting.." >&2 return 1 fi diff --git a/terraform/subscriptions/scripts/keyvaultsecret.env.template b/terraform/subscriptions/scripts/keyvaultsecret.env.template index 377b40c79..a9cd9671c 100644 --- a/terraform/subscriptions/scripts/keyvaultsecret.env.template +++ b/terraform/subscriptions/scripts/keyvaultsecret.env.template @@ -1,5 +1,4 @@ -#Secret -secretName="" -#Vault -sourceVault="" -destinationVault="" \ No newline at end of file +oldsecretName= +newsecretName= +sourceVault= +destinationVault= \ No newline at end of file diff --git a/terraform/subscriptions/scripts/template_move_secrets.ps1 b/terraform/subscriptions/scripts/template_move_secrets.ps1 index d883fb043..8f965daa4 100644 --- a/terraform/subscriptions/scripts/template_move_secrets.ps1 +++ b/terraform/subscriptions/scripts/template_move_secrets.ps1 @@ -1,22 +1,23 @@ +$secrets = @{} Get-Content ./keyvaultsecret.env | ForEach-Object { $name, $value = $_.split('=') + $secrets[$name] = $value } -$secretNamenew=$secretName.ToLower() -$secretExists=(az keyvault secret list --vault-name $destinationVault --query "[?name=='$secretNamenew']" -o tsv) +$secretExists=(az keyvault secret list --vault-name $secrets.destinationVault --query "[?name=='$secrets.newsecretName']" -o tsv) if($null -eq $secretExists) { - write-host "Copy Secret across $secretName" - az keyvault secret show --vault-name $sourceVault -n $secretName --query "value" -o tsv > secret.txt - $contenttype=(az keyvault secret show --vault-name $sourceVault -n $secretName --query contentType) + write-host "Copy secret" $secrets.oldsecretName "to" $secrets.newsecretName + az keyvault secret show --vault-name $secrets.sourceVault -n $secrets.oldsecretName --query "value" -o tsv > secret.txt + $contenttype=(az keyvault secret show --vault-name $secrets.sourceVault -n $secrets.oldsecretName --query contentType) if ($null -eq $contenttype) { - az keyvault secret set --vault-name $destinationVault --name $secretNamenew --tags migratedfrom=$sourceVault --file secret.txt + az keyvault secret set --vault-name $secrets.destinationVault --name $secrets.newsecretName --tags migratedfrom=$secrets.sourceVault --file secret.txt } else { - az keyvault secret set --vault-name $destinationVault --name $secretNamenew --description $contenttype --tags migratedfrom=$sourceVault --file secret.txt + az keyvault secret set --vault-name $secrets.destinationVault --name $secrets.newsecretName --description $contenttype --tags migratedfrom=$secrets.sourceVault --file secret.txt } - az keyvault secret delete --vault-name $sourceVault -n $secretName + az keyvault secret delete --vault-name $secrets.sourceVault -n $secrets.oldsecretName rm secret.txt } else { - write-host "$secretNamenew already exists in $destinationVault" + write-host $secrets.newsecretName "already exists in" $secrets.destinationVault }