nsg

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
Azure · Feb 27, 2025 · d42aa88 · d42aa88
1 parent d849641
commit d42aa88
Show file tree

Hide file tree

Showing 11 changed files with 87 additions and 0 deletions.
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
@@ -252,6 +252,10 @@ clouds:
           clusterService:
             environment: "arohcpint"
 
+          # Geneva Actions
+          genevaActions:
+            serviceTag: GenevaActionsNonProd
+
           # OIDC
           oidcStorageAccountName: arohcpoidcint{{ .ctx.regionShort }}
           oidcZoneRedundantMode: Auto

diff --git a/config/config.schema.json b/config/config.schema.json
@@ -426,6 +426,18 @@
         "cert"
       ]
     },
+    "genevaActions": {
+      "type": "object",
+      "properties": {
+        "serviceTag": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "required": [
+        "serviceTag"
+      ]
+    },
     "global": {
       "type": "object",
       "properties": {
@@ -977,6 +989,7 @@
     "firstPartyAppClientId",
     "firstPartyAppCertName",
     "frontend",
+    "genevaActions",
     "global",
     "hypershift",
     "hypershiftOperator",

diff --git a/config/config.yaml b/config/config.yaml
@@ -25,6 +25,10 @@ defaults:
   logs:
     enableLogAnalytics: false
 
+  # Geneva Actions
+  genevaActions:
+    serviceTag: GenevaActionsNonProd
+
   # SVC cluster specifics
   svc:
     subscription: ARO Hosted Control Planes (EA Subscription 1)

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-rollout-identity",
     "region": "westus3",

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-rollout-identity",
     "region": "westus3",

diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-ev2-identity",
     "region": "uksouth",

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -95,6 +95,9 @@
       "repository": "arohcpfrontend"
     }
   },
+  "genevaActions": {
+    "serviceTag": "GenevaActionsNonProd"
+  },
   "global": {
     "globalMSIName": "global-rollout-identity",
     "region": "westus3",

diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam
@@ -72,6 +72,7 @@ param regionalResourceGroup = '{{ .regionRG }}'
 
 param frontendIngressCertName = '{{ .frontend.cert.name }}'
 param frontendIngressCertIssuer = '{{ .frontend.cert.issuer }}'
+param genevaActionsServiceTag = '{{ .genevaActions.serviceTag }}'
 
 // Azure Monitor Workspace
 param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__'

diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -37,6 +37,7 @@ param subnetPrefix string
 param podSubnetPrefix string
 param clusterType string
 param workloadIdentities array
+param nodeSubnetNSGId string
 
 @description('Istio Ingress Gateway Public IP Address resource name')
 param istioIngressGatewayIPAddressName string = ''
@@ -192,6 +193,9 @@ resource aksNodeSubnet 'Microsoft.Network/virtualNetworks/subnets@2023-11-01' =
         service: 'Microsoft.KeyVault'
       }
     ]
+    networkSecurityGroup: {
+      id: nodeSubnetNSGId
+    }
   }
 }
 

diff --git a/dev-infrastructure/templates/mgmt-cluster.bicep b/dev-infrastructure/templates/mgmt-cluster.bicep
@@ -111,6 +111,15 @@ param logsServiceAccount string
 // Log Analytics Workspace ID will be passed from region pipeline if enabled in config
 param logAnalyticsWorkspaceId string = ''
 
+resource mgmtClusterNSG 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  location: location
+  name: 'mgmt-cluster-node-nsg'
+  properties: {
+    securityRules: [
+    ]
+  }
+}
+
 module mgmtCluster '../modules/aks-cluster-base.bicep' = {
   name: 'cluster'
   scope: resourceGroup()
@@ -124,6 +133,7 @@ module mgmtCluster '../modules/aks-cluster-base.bicep' = {
     deployIstio: false
     kubernetesVersion: kubernetesVersion
     vnetAddressPrefix: vnetAddressPrefix
+    nodeSubnetNSGId: mgmtClusterNSG.id
     subnetPrefix: subnetPrefix
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'mgmt-cluster'

diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -179,6 +179,9 @@ param frontendIngressCertName string
 @description('Frontend Ingress Certificate Issuer')
 param frontendIngressCertIssuer string
 
+@description('The service tag for Geneva Actions')
+param genevaActionsServiceTag string
+
 @description('The Azure Resource ID of the Azure Monitor Workspace (stores prometheus metrics)')
 param azureMonitoringWorkspaceId string
 
@@ -209,6 +212,41 @@ resource serviceKeyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing
   scope: resourceGroup(serviceKeyVaultResourceGroup)
 }
 
+resource svcClusterNSG 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {
+  location: location
+  name: 'svc-cluster-node-nsg'
+  properties: {
+    securityRules: [
+      {
+        name: 'rp-in-arm'
+        properties: {
+          access: 'Allow'
+          destinationAddressPrefix: '*'
+          destinationPortRange: '443'
+          direction: 'Inbound'
+          priority: 120
+          protocol: 'Tcp'
+          sourceAddressPrefix: 'AzureResourceManager'
+          sourcePortRange: '*'
+        }
+      }
+      {
+        name: 'admin-in-geneva'
+        properties: {
+          access: 'Allow'
+          destinationAddressPrefix: '*'
+          destinationPortRange: '443'
+          direction: 'Inbound'
+          priority: 130
+          protocol: 'Tcp'
+          sourceAddressPrefix: genevaActionsServiceTag
+          sourcePortRange: '*'
+        }
+      }
+    ]
+  }
+}
+
 module svcCluster '../modules/aks-cluster-base.bicep' = {
   name: 'cluster'
   scope: resourceGroup()
@@ -225,6 +263,7 @@ module svcCluster '../modules/aks-cluster-base.bicep' = {
     istioIngressGatewayIPAddressName: istioIngressGatewayIPAddressName
     istioIngressGatewayIPAddressIPTags: istioIngressGatewayIPAddressIPTags
     vnetAddressPrefix: vnetAddressPrefix
+    nodeSubnetNSGId: svcClusterNSG.id
     subnetPrefix: subnetPrefix
     podSubnetPrefix: podSubnetPrefix
     clusterType: 'svc-cluster'