last sync: 2021-Oct-25 16:02:14 UTC

Azure Policy definition

Configure Kubernetes clusters with specified GitOps configuration using SSH secrets

Name Configure Kubernetes clusters with specified GitOps configuration using SSH secrets
Azure Portal
Id c050047b-b21b-4822-8a2d-c1e37c3c0c6a
Version 1.0.0
details on versioning
Category Kubernetes
Microsoft docs
Description Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: deployIfNotExists
Allowed: (deployIfNotExists, auditIfNotExists, disabled)
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-03-09 14:37:41 add c050047b-b21b-4822-8a2d-c1e37c3c0c6a
Used in Initiatives none
JSON
{
  "displayName": "Configure Kubernetes clusters with specified GitOps configuration using SSH secrets",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Deploy a 'sourceControlConfiguration' to Kubernetes clusters to assure that the clusters get their source of truth for workloads and configurations from the defined git repo. This definition requires a SSH private key secret in Key Vault. For instructions, visit https://aka.ms/K8sGitOpsPolicy.",
  "metadata": {
    "version": "1.0.0",
    "category": "Kubernetes"
  },
  "parameters": {
    "configurationResourceName": {
      "type": "String",
      "metadata": {
        "displayName": "Configuration resource name",
        "description": "The name for the sourceControlConfiguration.  Learn more about setting up GitOps configuration: https://aka.ms/AzureArcK8sUsingGitOps."
      }
    },
    "operatorInstanceName": {
      "type": "String",
      "metadata": {
        "displayName": "Operator instance name",
        "description": "Name used in the operator instances. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
      }
    },
    "operatorNamespace": {
      "type": "String",
      "metadata": {
        "displayName": "Operator namespace",
        "description": "Namespace within which the operators will be installed. Maximum of 23 lowercase alphanumeric characters or hyphen. Must start and end with an alphanumeric character."
      }
    },
    "operatorScope": {
      "type": "String",
      "metadata": {
        "displayName": "Operator scope",
        "description": "The permission scope for the operator. Possible values are 'cluster' (full access) or 'namespace' (restricted access)."
      },
      "allowedValues": [
        "cluster",
        "namespace"
      ],
      "defaultValue": "namespace"
    },
    "operatorType": {
      "type": "String",
      "metadata": {
        "displayName": "Operator type",
        "description": "The type of operator to install. Currently, 'Flux' is supported."
      },
      "allowedValues": [
        "Flux"
      ],
      "defaultValue": "Flux"
    },
    "operatorParams": {
      "type": "String",
      "metadata": {
        "displayName": "Operator parameters",
        "description": "Parameters to set on the Flux operator, separated by spaces.  For example, --git-readonly --sync-garbage-collection.  Learn more: http://aka.ms/AzureArcK8sFluxOperatorParams."
      },
      "defaultValue": ""
    },
    "repositoryUrl": {
      "type": "String",
      "metadata": {
        "displayName": "Repository Url",
        "description": "The URL for the source control repository. Learn more about URL formats: https://aka.ms/GitOpsRepoUrlParameters"
      }
    },
    "enableHelmOperator": {
      "type": "String",
      "metadata": {
        "displayName": "Enable Helm",
        "description": "Indicate whether to enable Helm for this instance of Flux. Learn more: http://aka.ms/AzureArcK8sGitOpsWithHelm."
      },
      "allowedValues": [
        "true",
        "false"
      ],
      "defaultValue": "true"
    },
    "chartVersion": {
      "type": "String",
      "metadata": {
        "displayName": "Helm chart version for installing Flux Helm",
        "description": "The version of the Helm chart for installing Flux Helm. For example, 1.2.0"
      },
      "defaultValue": "1.2.0"
    },
    "chartValues": {
      "type": "String",
      "metadata": {
        "displayName": "Helm chart parameters for installing Flux Helm",
        "description": "Parameters for the Helm chart for installing Flux Helm, separated by spaces. For example, --set helm.versions=v3"
      },
      "defaultValue": ""
    },
    "sshKnownHostsContents": {
      "type": "String",
      "metadata": {
        "displayName": "Base64-encoded known hosts content",
        "description": "The base64-encoded known hosts content."
      },
      "defaultValue": ""
    },
    "keyVaultResourceId": {
      "type": "String",
      "metadata": {
        "displayName": "Key Vault resource id",
        "description": "The resource id for the Key Vault that holds the SSH or HTTPS secrets. For example: '/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/'",
        "strongType": "Microsoft.KeyVault/vaults",
        "assignPermissions": "true"
      },
      "defaultValue": ""
    },
    "sshPrivateKeyKeyVaultSecretName": {
      "type": "String",
      "metadata": {
        "displayName": "SSH private key Key Vault secret",
        "description": "The name of the Key Vault secret that holds the base64-encoded SSH private key."
      },
      "defaultValue": ""
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "deployIfNotExists",
        "auditIfNotExists",
        "disabled"
      ],
      "defaultValue": "deployIfNotExists"
    }
  },
  "policyRule": {
    "if": {
      "field": "type",
      "in": [
        "Microsoft.Kubernetes/connectedClusters",
        "Microsoft.ContainerService/managedClusters"
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.KubernetesConfiguration/sourceControlConfigurations",
        "name": "[parameters('configurationResourceName')]",
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "deploymentScope": "ResourceGroup",
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/operatorParams",
              "in": [
                "[parameters('operatorParams')]",
                "[concat('--git-readonly ',parameters('operatorParams'))]"
              ]
            },
            {
              "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/repositoryUrl",
              "equals": "[parameters('repositoryUrl')]"
            },
            {
              "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/sshKnownHostsContents",
              "equals": "[parameters('sshKnownHostsContents')]"
            },
            {
              "anyOf": [
                {
                  "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                  "equals": "false"
                },
                {
                  "allOf": [
                    {
                      "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/enableHelmOperator",
                      "equals": "true"
                    },
                    {
                      "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartVersion",
                      "equals": "[parameters('chartVersion')]"
                    },
                    {
                      "field": "Microsoft.KubernetesConfiguration/sourceControlConfigurations/helmOperatorProperties.chartValues",
                      "equals": "[parameters('chartValues')]"
                    }
                  ]
                }
              ]
            }
          ]
        },
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "configurationResourceName": {
                  "type": "string"
                },
                "clusterLocation": {
                  "type": "string"
                },
                "clusterName": {
                  "type": "string"
                },
                "operatorInstanceName": {
                  "type": "string"
                },
                "operatorNamespace": {
                  "type": "string"
                },
                "operatorScope": {
                  "type": "string"
                },
                "operatorType": {
                  "type": "string"
                },
                "operatorParams": {
                  "type": "string"
                },
                "repositoryUrl": {
                  "type": "string"
                },
                "enableHelmOperator": {
                  "type": "string"
                },
                "chartVersion": {
                  "type": "string"
                },
                "chartValues": {
                  "type": "string"
                },
                "sshKnownHostsContents": {
                  "type": "string"
                },
                "sshPrivateKey": {
                  "type": "securestring"
                },
                "clusterResourceType": {
                  "type": "string"
                }
              },
              "resources": [
                {
                  "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('connectedclusters'))]",
                  "type": "Microsoft.Kubernetes/connectedClusters/providers/sourceControlConfigurations",
                  "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                  "apiVersion": "2021-03-01",
                  "properties": {
                    "operatorInstanceName": "[parameters('operatorInstanceName')]",
                    "operatorNamespace": "[parameters('operatorNamespace')]",
                    "operatorScope": "[parameters('operatorScope')]",
                    "operatorType": "[parameters('operatorType')]",
                    "operatorParams": "[parameters('operatorParams')]",
                    "repositoryUrl": "[parameters('repositoryUrl')]",
                    "enableHelmOperator": "[parameters('enableHelmOperator')]",
                    "helmOperatorProperties": {
                      "chartVersion": "[parameters('chartVersion')]",
                      "chartValues": "[parameters('chartValues')]"
                    },
                    "sshKnownHostsContents": "[parameters('sshKnownHostsContents')]",
                    "configurationProtectedSettings": {
                      "sshPrivateKey": "[parameters('sshPrivateKey')]"
                    }
                  }
                },
                {
                  "condition": "[contains(toLower(parameters('clusterResourceType')), toLower('managedclusters'))]",
                  "type": "Microsoft.ContainerService/managedClusters/providers/sourceControlConfigurations",
                  "name": "[concat(parameters('clusterName'), '/Microsoft.KubernetesConfiguration/', parameters('configurationResourceName'))]",
                  "apiVersion": "2021-03-01",
                  "properties": {
                    "operatorInstanceName": "[parameters('operatorInstanceName')]",
                    "operatorNamespace": "[parameters('operatorNamespace')]",
                    "operatorScope": "[parameters('operatorScope')]",
                    "operatorType": "[parameters('operatorType')]",
                    "operatorParams": "[parameters('operatorParams')]",
                    "repositoryUrl": "[parameters('repositoryUrl')]",
                    "enableHelmOperator": "[parameters('enableHelmOperator')]",
                    "helmOperatorProperties": {
                      "chartVersion": "[parameters('chartVersion')]",
                      "chartValues": "[parameters('chartValues')]"
                    },
                    "sshKnownHostsContents": "[parameters('sshKnownHostsContents')]",
                    "configurationProtectedSettings": {
                      "sshPrivateKey": "[parameters('sshPrivateKey')]"
                    }
                  }
                }
              ]
            },
            "parameters": {
              "clusterLocation": {
                "value": "[field('location')]"
              },
              "clusterName": {
                "value": "[field('name')]"
              },
              "configurationResourceName": {
                "value": "[parameters('configurationResourceName')]"
              },
              "operatorInstanceName": {
                "value": "[parameters('operatorInstanceName')]"
              },
              "operatorNamespace": {
                "value": "[parameters('operatorNamespace')]"
              },
              "operatorScope": {
                "value": "[parameters('operatorScope')]"
              },
              "operatorType": {
                "value": "[parameters('operatorType')]"
              },
              "operatorParams": {
                "value": "[parameters('operatorParams')]"
              },
              "repositoryUrl": {
                "value": "[parameters('repositoryUrl')]"
              },
              "enableHelmOperator": {
                "value": "[parameters('enableHelmOperator')]"
              },
              "chartVersion": {
                "value": "[parameters('chartVersion')]"
              },
              "chartValues": {
                "value": "[parameters('chartValues')]"
              },
              "sshKnownHostsContents": {
                "value": "[parameters('sshKnownHostsContents')]"
              },
              "sshPrivateKey": {
                "reference": {
                  "keyVault": {
                    "id": "[parameters('keyVaultResourceId')]"
                  },
                  "secretName": "[parameters('sshPrivateKeyKeyVaultSecretName')]"
                }
              },
              "clusterResourceType": {
                "value": "[field('type')]"
              }
            }
          }
        }
      }
    }
  }
}