| JSON |
{
"properties": {
"displayName": "Configure Kubernetes clusters with specified GitOps configuration using HTTPS secrets",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires HTTPS user and key secrets stored in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.",
"metadata": {
"version": "1.0.0",
"category": "Kubernetes"
},
"parameters": {
"configurationResourceName": {
"type": "String",
"metadata": {
"displayName": "Configuration resource name",
"description": "The name for the sourceControlConfiguration. Learn more about setting up GitOps configuration: https://aka.ms/AzureArcK8sUsingGitOps."
}
},
"operatorInstanceName": {
"type": "String",
"metadata": {
"displayName": "Operator instance name",
"description": "Name used in the operator instances. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
}
},
"operatorNamespace": {
"type": "String",
"metadata": {
"displayName": "Operator namespace",
"description": "Namespace within which the operators will be installed. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
}
},
"operatorScope": {
"type": "String",
"metadata": {
"displayName": "Operator scope",
"description": "The permission scope for the operator. Possible values are 'cluster' (full access) or 'namespace' (restricted access)."
},
"allowedValues": [
"cluster",
"namespace"
],
"defaultValue": "namespace"
},
"operatorType": {
"type": "String",
"metadata": {
"displayName": "Operator type",
"description": "The type of operator to install. Currently, 'Flux' is supported."
},
"allowedValues": [
"Flux"
],
"defaultValue": "Flux"
},
"operatorParams": {
"type": "String",
"metadata": {
"displayName": "Operator parameters",
"description": "Parameters to set on the Flux operator, separated by spaces. For example, --git-readonly --sync-garbage-collection. Learn more: http://aka.ms/AzureArcK8sFluxOperatorParams."
},
"defaultValue": ""
},
"repositoryUrl": {
"type": "String",
"metadata": {
"displayName": "Repository Url",
"description": "The URL for the source control repository. Learn more about URL formats: https://aka.ms/GitOpsRepoUrlParameters"
}
},
"enableHelmOperator": {
"type": "String",
"metadata": {
"displayName": "Enable Helm",
"description": "Indicate whether to enable Helm for this instance of Flux. Learn more: http://aka.ms/AzureArcK8sGitOpsWithHelm."
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "true"
},
"chartVersion": {
"type": "String",
"metadata": {
"displayName": "Helm chart version for installing Flux Helm",
"description": "The version of the Helm chart for installing Flux Helm. For example, 1.2.0"
},
"defaultValue": "1.2.0"
},
"chartValues": {
"type": "String",
"metadata": {
"displayName": "Helm chart parameters for installing Flux Helm",
"description": "Parameters for the Helm chart for installing Flux Helm, separated by spaces. For example, --set helm.versions=v3"
},
"defaultValue": ""
},
"keyVaultResourceId": {
"type": "String",
"metadata": {
"displayName": "Key Vault resource id",
"description": "The resource id for the Key Vault that holds the SSH or HTTPS secrets. For example: '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/'",
"strongType": "Microsoft.KeyVault/vaults",
"assignPermissions": "true"
},
"defaultValue": ""
},
"httpsUserKeyVaultSecretName": {
"type": "String",
"metadata": {
"displayName": "HTTPS user name Key Vault secret",
"description": "The name of the Key Vault secret that holds the base64-encoded HTTPS user name."
},
"defaultValue": ""
},
"httpsKeyKeyVaultSecretName": {
"type": "String",
"metadata": {
"displayName": "HTTPS key Key Vault secret",
"description": "The name of the Key Vault secret that holds the base64-encoded HTTPS key."
},
"defaultValue": ""
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"deployIfNotExists",
"auditIfNotExists",
"disabled"
],
"defaultValue": "deployIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"in": [
"Microsoft.Kubernetes/connectedClusters",
"Microsoft.ContainerService/managedClusters"
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
"name": "[parameters('configurationResourceName')]",
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deploymentScope": "ResourceGroup",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams",
"in": [
"[parameters('operatorParams')]",
"[concat('--git-readonly ',parameters('operatorParams'))]"
]
},
{
"field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl",
"equals": "[parameters('repositoryUrl')]"
},
{
"anyOf": [
{
"field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
"equals": "false"
},
{
"allOf": [
{
"field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
"equals": "true"
},
{
"field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion",
"equals": "[parameters('chartVersion')]"
},
{
"field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues",
"equals": "[parameters('chartValues')]"
}
]
}
]
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"configurationResourceName": {
"type": "string"
},
"clusterLocation": {
"type": "string"
},
"clusterName": {
"type": "string"
},
"operatorInstanceName": {
"type": "string"
},
"operatorNamespace": {
"type": "string"
},
"operatorScope": {
"type": "string"
},
"operatorType": {
"type": "string"
},
"operatorParams": {
"type": "string"
},
"repositoryUrl": {
"type": "string"
},
"enableHelmOperator": {
"type": "string"
},
"chartVersion": {
"type": "string"
},
"chartValues": {
"type": "string"
},
"httpsUser": {
"type": "securestring"
},
"httpsKey": {
"type": "securestring"
},
"clusterResourceType": {
"type": "string"
}
},
"resources": [
{
"condition": "[contains(toLower(parameters('clusterResourceType')), toLower('connectedclusters'))]",
"type": "Microsoft.Kubernetes/connectedClusters/providers/sourceControlConfigurations",
"name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
"apiVersion": "2021-03-01",
"properties": {
"operatorInstanceName": "[parameters('operatorInstanceName')]",
"operatorNamespace": "[parameters('operatorNamespace')]",
"operatorScope": "[parameters('operatorScope')]",
"operatorType": "[parameters('operatorType')]",
"operatorParams": "[parameters('operatorParams')]",
"repositoryUrl": "[parameters('repositoryUrl')]",
"enableHelmOperator": "[parameters('enableHelmOperator')]",
"helmOperatorProperties": {
"chartVersion": "[parameters('chartVersion')]",
"chartValues": "[parameters('chartValues')]"
},
"configurationProtectedSettings": {
"httpsUser": "[parameters('httpsUser')]",
"httpsKey": "[parameters('httpsKey')]"
}
}
},
{
"condition": "[contains(toLower(parameters('clusterResourceType')), toLower('managedclusters'))]",
"type": "Microsoft.ContainerService/managedClusters/providers/sourceControlConfigurations",
"name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
"apiVersion": "2021-03-01",
"properties": {
"operatorInstanceName": "[parameters('operatorInstanceName')]",
"operatorNamespace": "[parameters('operatorNamespace')]",
"operatorScope": "[parameters('operatorScope')]",
"operatorType": "[parameters('operatorType')]",
"operatorParams": "[parameters('operatorParams')]",
"repositoryUrl": "[parameters('repositoryUrl')]",
"enableHelmOperator": "[parameters('enableHelmOperator')]",
"helmOperatorProperties": {
"chartVersion": "[parameters('chartVersion')]",
"chartValues": "[parameters('chartValues')]"
},
"configurationProtectedSettings": {
"httpsUser": "[parameters('httpsUser')]",
"httpsKey": "[parameters('httpsKey')]"
}
}
}
]
},
"parameters": {
"clusterLocation": {
"value": "[field('location')]"
},
"clusterName": {
"value": "[field('name')]"
},
"configurationResourceName": {
"value": "[parameters('configurationResourceName')]"
},
"operatorInstanceName": {
"value": "[parameters('operatorInstanceName')]"
},
"operatorNamespace": {
"value": "[parameters('operatorNamespace')]"
},
"operatorScope": {
"value": "[parameters('operatorScope')]"
},
"operatorType": {
"value": "[parameters('operatorType')]"
},
"operatorParams": {
"value": "[parameters('operatorParams')]"
},
"repositoryUrl": {
"value": "[parameters('repositoryUrl')]"
},
"enableHelmOperator": {
"value": "[parameters('enableHelmOperator')]"
},
"chartVersion": {
"value": "[parameters('chartVersion')]"
},
"chartValues": {
"value": "[parameters('chartValues')]"
},
"httpsUser": {
"reference": {
"keyVault": {
"id": "[parameters('keyVaultResourceId')]"
},
"secretName": "[parameters('httpsUserKeyVaultSecretName')]"
}
},
"httpsKey": {
"reference": {
"keyVault": {
"id": "[parameters('keyVaultResourceId')]"
},
"secretName": "[parameters('httpsKeyKeyVaultSecretName')]"
}
},
"clusterResourceType": {
"value": "[field('type')]"
}
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/a6f560f4-f582-4b67-b123-a37dcd1bf7ea",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "a6f560f4-f582-4b67-b123-a37dcd1bf7ea"
}
|