Merge branch 'main' into dawn-tenancy

Author: craddm

infra/aks/Pulumi.yaml

@@ -18,6 +18,11 @@ config:
     type: string
     description: The CIDR for the access cluster nodes subnet
     default: "10.10.1.0/24"
+  admin_ip_allowlist:
+    type: array
+    description: List of CIDR blocks to allow access to the API proxy SSH server
+    items:
+      type: string
   cluster_name:
     type: string
     description: The name of the AKS cluster

infra/aks/components/networking.py

@@ -96,7 +96,9 @@ def __init__(
                     protocol=network.SecurityRuleProtocol.TCP,
                     source_port_range="*",
                     destination_port_range="2500",
-                    source_address_prefix="Internet",
+                    source_address_prefixes=args.config.require_object(
+                        "admin_ip_allowlist"
+                    ),
                     destination_address_prefix="*",
                     description="Allow SSH traffic to API Proxy SSH server",
                 ),

infra/fridge/access-cluster/Pulumi.yaml

@@ -24,6 +24,14 @@ config:
   base_fqdn:
     type: string
     description: Base FQDN for the access cluster
+  admin_ip_allowlist:
+    type: array
+    description: List of CIDR blocks to allow access to the API proxy SSH server
+    items:
+      type: string
+  dawn_load_balancer_ip:
+    type: string
+    description: Load balancer IP for Dawn access cluster - use a dummy value when not deploying to Dawn
   harbor_fqdn_prefix:
     type: string
     description: FQDN prefix for Harbor

infra/fridge/access-cluster/__main__.py

@@ -1,7 +1,6 @@
 import pulumi
 
 from pulumi import ResourceOptions
-from pulumi_kubernetes.batch.v1 import CronJobPatch, CronJobSpecPatchArgs
 from pulumi_kubernetes.core.v1 import NamespacePatch
 from pulumi_kubernetes.meta.v1 import ObjectMetaPatchArgs
 from pulumi_kubernetes.yaml import ConfigFile
@@ -117,9 +116,12 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
 ]
 
 network_policies = components.NetworkPolicies(
-    name=f"{stack_name}-network-policies",
-    config=config,
-    k8s_environment=k8s_environment,
+    f"{stack_name}-network-policies",
+    components.NetworkPoliciesArgs(
+        config=config,
+        k8s_environment=k8s_environment,
+        harbor_fqdn=harbor.harbor_fqdn,
+    ),
     opts=ResourceOptions(
         depends_on=resources,
     ),
@@ -128,6 +130,7 @@ def patch_namespace(name: str, pss: PodSecurityStandard) -> NamespacePatch:
 # Pulumi exports
 pulumi.export("fridge_api_ip_address", config.require("fridge_api_ip_address"))
 pulumi.export("harbor_fqdn", harbor.harbor_fqdn)
-pulumi.export("harbor_ip_address", harbor.harbor_lb_ip)
-pulumi.export("ingress_ip", ingress_nginx.ingress_ip)
-pulumi.export("ingress_ports", ingress_nginx.ingress_ports)
+if k8s_environment == K8sEnvironment.AKS:
+    pulumi.export("harbor_ip_address", harbor.harbor_ip)
+    pulumi.export("ingress_ip", ingress_nginx.ingress_ip)
+    pulumi.export("ingress_ports", ingress_nginx.ingress_ports)

infra/fridge/access-cluster/components/__init__.py

@@ -2,5 +2,5 @@
 from .container_registry import ContainerRegistry, ContainerRegistryArgs
 from .fridge_api_jumpbox import FridgeAPIJumpbox, FridgeAPIJumpboxArgs
 from .ingress import Ingress, IngressArgs
-from .network_policies import NetworkPolicies
+from .network_policies import NetworkPolicies, NetworkPoliciesArgs
 from .storage_classes import StorageClasses, StorageClassesArgs

infra/fridge/access-cluster/components/cert_manager.py

@@ -1,10 +1,10 @@
 import pulumi
 
-from pulumi import ComponentResource, ResourceOptions
+from pulumi import ComponentResource, Output, ResourceOptions
 from pulumi_kubernetes.apiextensions import CustomResource
-from pulumi_kubernetes.core.v1 import Namespace
+from pulumi_kubernetes.core.v1 import Namespace, Service
 from pulumi_kubernetes.helm.v3 import Release
-from pulumi_kubernetes.helm.v4 import Chart, RepositoryOptsArgs
+from pulumi_kubernetes.helm.v4 import RepositoryOptsArgs
 from pulumi_kubernetes.meta.v1 import ObjectMetaArgs
 
 from enums import K8sEnvironment, PodSecurityStandard, TlsEnvironment, tls_issuer_names
@@ -32,7 +32,7 @@ def __init__(
         k8s_environment = args.k8s_environment
 
         match k8s_environment:
-            case K8sEnvironment.AKS | K8sEnvironment.K3S | K8sEnvironment.DAWN:
+            case K8sEnvironment.AKS | K8sEnvironment.K3S:
                 # AKS specific configuration
                 # CertManager (TLS automation)
                 cert_manager_ns = Namespace(
@@ -65,6 +65,23 @@ def __init__(
                         ),
                     ),
                 )
+            case K8sEnvironment.DAWN:
+                cert_manager_ns = Namespace.get(
+                    "cert-manager-ns",
+                    "cert-manager",
+                    opts=child_opts,
+                )
+                cert_manager = Service.get(
+                    "cert-manager",
+                    Output.concat(
+                        cert_manager_ns.metadata.name,
+                        "/",
+                        "cert-manager",
+                    ),
+                    opts=ResourceOptions.merge(
+                        child_opts, ResourceOptions(depends_on=[cert_manager_ns])
+                    ),
+                )
 
         # Create ClusterIssuers
         issuer_outputs = {}

infra/fridge/access-cluster/components/container_registry.py

@@ -64,6 +64,8 @@ def __init__(
         super().__init__("fridge:ContainerRegistry", name, {}, opts)
         child_opts = ResourceOptions.merge(opts, ResourceOptions(parent=self))
 
+        k8s_environment = K8sEnvironment(args.config.get("k8s_env"))
+
         self.harbor_ns = Namespace(
             "harbor-ns",
             metadata=ObjectMetaArgs(
@@ -88,15 +90,6 @@ def __init__(
             else "ReadWriteOnce",
         }
 
-        api_service_annotations = (
-            {
-                "service.beta.kubernetes.io/azure-load-balancer-internal": "true",
-                "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "networking-access-nodes",
-            }
-            if K8sEnvironment(args.config.get("k8s_env")) == K8sEnvironment.AKS
-            else {}
-        )
-
         self.harbor = Release(
             "harbor",
             ReleaseArgs(
@@ -188,34 +181,40 @@ def __init__(
             ),
         )
 
-        self.harbor_internal_loadbalancer = Service(
-            "harbor-internal-lb",
-            metadata=ObjectMetaArgs(
-                name="harbor-lb",
-                namespace=self.harbor_ns.metadata.name,
-                annotations=api_service_annotations,
-            ),
-            spec=ServiceSpecArgs(
-                type="LoadBalancer",
-                selector={"app": "harbor", "component": "nginx"},
-                ports=[ServicePortArgs(port=80, target_port=8080)],
-            ),
-            opts=ResourceOptions.merge(
-                child_opts,
-                ResourceOptions(
-                    depends_on=[
-                        self.harbor,
-                    ]
+        if k8s_environment == K8sEnvironment.AKS:
+            self.harbor_internal_loadbalancer = Service(
+                "harbor-internal-lb",
+                metadata=ObjectMetaArgs(
+                    name="harbor-lb",
+                    namespace=self.harbor_ns.metadata.name,
+                    annotations={
+                        "service.beta.kubernetes.io/azure-load-balancer-internal": "true",
+                        "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "networking-access-nodes",
+                    },
                 ),
-            ),
-        )
-
-        # Extract the dynamically assigned IP address
-        self.harbor_lb_ip = self.harbor_internal_loadbalancer.status.apply(
-            lambda status: status.load_balancer.ingress[0].ip
-            if status and status.load_balancer and status.load_balancer.ingress
-            else None
-        )
+                spec=ServiceSpecArgs(
+                    type="LoadBalancer",
+                    selector={"app": "harbor", "component": "nginx"},
+                    ports=[ServicePortArgs(port=80, target_port=8080)],
+                ),
+                opts=ResourceOptions.merge(
+                    child_opts,
+                    ResourceOptions(
+                        depends_on=[
+                            self.harbor,
+                        ]
+                    ),
+                ),
+            )
+            # Extract the dynamically assigned LoadBalancer IP address
+            self.harbor_ip = self.harbor_internal_loadbalancer.status.apply(
+                lambda status: status.load_balancer.ingress[0].ip
+                if status and status.load_balancer and status.load_balancer.ingress
+                else None
+            )
+        elif k8s_environment == K8sEnvironment.DAWN:
+            # Extract the ClusterIP for DAWN environment
+            self.harbor_ip = args.config.require("dawn_load_balancer_ip")
 
         # Create a daemonset to skip TLS verification for the harbor registry
         # This is needed while using staging/self-signed certificates for Harbor

infra/fridge/access-cluster/components/fridge_api_jumpbox.py

@@ -166,7 +166,7 @@ def __init__(
             ),
             spec=ServiceSpecArgs(
                 selector=self.api_jumpbox.spec.template.metadata.labels,
-                ports=[{"protocol": "TCP", "port": 2500, "targetPort": 2222}],
+                ports=[{"protocol": "TCP", "port": 2222, "targetPort": 2222}],
                 type="ClusterIP",
             ),
             opts=ResourceOptions.merge(

infra/fridge/access-cluster/components/ingress.py

@@ -23,7 +23,7 @@ def __init__(
         k8s_environment = args.k8s_environment
 
         match k8s_environment:
-            case K8sEnvironment.AKS | K8sEnvironment.K3S | K8sEnvironment.DAWN:
+            case K8sEnvironment.AKS | K8sEnvironment.K3S:
                 ingress_nginx_ns = Namespace(
                     "ingress-nginx-ns",
                     metadata=ObjectMetaArgs(
@@ -51,12 +51,12 @@ def __init__(
                                 },
                             },
                             "tcp": {
-                                "2500": Output.concat(
+                                "2222": Output.concat(
                                     args.api_jumpbox.api_jumpbox_ns.metadata.name,
                                     "/",
                                     args.api_jumpbox.api_jumpbox_service.metadata.name,
                                     ":",
-                                    "2500",
+                                    "2222",
                                 ),
                             },
                         },
@@ -65,27 +65,37 @@ def __init__(
                         child_opts, ResourceOptions(depends_on=ingress_nginx_ns)
                     ),
                 )
-            case K8sEnvironment.DAWN:
-                # Dawn specific configuration
-                ingress_nginx_ns = Namespace.get("ingress-nginx-ns", "ingress-nginx")
-                ingress_nginx = Release.get("ingress-nginx", "ingress-nginx")
 
-        controller_name = Output.concat(
-            ingress_nginx_ns.metadata.name,
-            "/",
-            ingress_nginx.status.name,
-            "-controller",
-        )
+                controller_name = Output.concat(
+                    ingress_nginx_ns.metadata.name,
+                    "/",
+                    ingress_nginx.status.name,
+                    "-controller",
+                )
+                ingress_service = Service.get(
+                    "ingress-nginx-controller-service",
+                    controller_name,
+                )
 
-        ingress_service = Service.get(
-            "ingress-nginx-controller-service",
-            controller_name,
-        )
+                self.ingress_ip = ingress_service.status.load_balancer.ingress[0].ip
+                self.ingress_ports = ingress_service.spec.ports.apply(
+                    lambda ports: [item.port for item in ports]
+                )
 
-        self.ingress_ip = ingress_service.status.load_balancer.ingress[0].ip
-        self.ingress_ports = ingress_service.spec.ports.apply(
-            lambda ports: [item.port for item in ports]
-        )
+            case K8sEnvironment.DAWN:
+                # Dawn specific configuration
+                ingress_nginx_ns = Namespace.get("ingress-nginx-ns", "ingress-nginx")
+                ingress_nginx = Service.get(
+                    "ingress-nginx",
+                    Output.concat(
+                        ingress_nginx_ns.metadata.name,
+                        "/ingress-nginx-controller",
+                    ),
+                    opts=ResourceOptions.merge(
+                        child_opts,
+                        ResourceOptions(depends_on=ingress_nginx_ns),
+                    ),
+                )
 
         self.register_outputs(
             {"ingress_nginx_ns": ingress_nginx_ns, "ingress_nginx": ingress_nginx}