Arcbox 3.0 - Remove storage SAS token

azure_jumpstart_arcbox/artifacts/DataOpsLogonScript.ps1

@@ -3,6 +3,7 @@ $Env:ArcBoxLogsDir = "C:\ArcBox\Logs"
 $Env:ArcBoxVMDir = "F:\Virtual Machines"
 $Env:ArcBoxIconDir = "C:\ArcBox\Icons"
 $Env:ArcBoxTestsDir = "$Env:ArcBoxDir\Tests"
+$Env:AZCOPY_AUTO_LOGIN_TYPE = "MSI"
 
 $clusters = @(
     [pscustomobject]@{clusterName = $Env:k3sArcDataClusterName; dataController = "$Env:k3sArcDataClusterName-dc" ; customLocation = "$Env:k3sArcDataClusterName-cl" ; storageClassName = 'longhorn' ; licenseType = 'LicenseIncluded' ; context = 'k3s' ; kubeConfig = "C:\Users\$Env:adminUsername\.kube\config-datasvc-k3s" }
@@ -100,9 +101,6 @@ Write-Host "`n"
 # Downloading k3s Kubernetes cluster kubeconfig file
 Write-Header "Downloading k3s Kubeconfig"
 $sourceFile = "https://$Env:stagingStorageAccountName.blob.core.windows.net/$($Env:k3sArcDataClusterName.ToLower())/config"
-$context = (Get-AzStorageAccount -ResourceGroupName $Env:resourceGroup).Context
-$sas = New-AzStorageAccountSASToken -Context $context -Service Blob -ResourceType Container,Object -Permission racwdlup
-$sourceFile = $sourceFile + "?" + $sas
 azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile "C:\Users\$Env:adminUsername\.kube\config-datasvc-k3s"
 azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile "C:\Users\$Env:adminUsername\.kube\config"
 
@@ -112,7 +110,6 @@ azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile  "C:\Users\$Env:admin
 # Downloading 'installk3s.log' log file
 Write-Header "Downloading k3s Install Logs"
 $sourceFile = "https://$Env:stagingStorageAccountName.blob.core.windows.net/$($Env:k3sArcDataClusterName.ToLower())/*"
-$sourceFile = $sourceFile + "?" + $sas
 azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile  "$Env:ArcBoxLogsDir\" --include-pattern "*.log"
 
 Start-Sleep -Seconds 10

azure_jumpstart_arcbox/artifacts/DevOpsLogonScript.ps1

@@ -9,6 +9,7 @@ $osmReleaseVersion = "1.1.1-1"
 $osmCLIReleaseVersion = "v1.2.3"
 $osmMeshName = "osm"
 $ingressNamespace = "ingress-nginx"
+$Env:AZCOPY_AUTO_LOGIN_TYPE = "MSI"
 
 # $certname = "ingress-cert"
 $certdns = "arcbox.devops.com"
@@ -49,9 +50,6 @@ az account set -s $env:subscriptionId
 # Downloading ArcBox-DataSvc-K3s Kubernetes cluster kubeconfig file
 Write-Header "Downloading ArcBox-DataSvc-K3s K8s Kubeconfig"
 $sourceFile = "https://$Env:stagingStorageAccountName.blob.core.windows.net/$($Env:k3sArcDataClusterName.ToLower())/config"
-$context = (Get-AzStorageAccount -ResourceGroupName $Env:resourceGroup).Context
-$sas = New-AzStorageAccountSASToken -Context $context -Service Blob -ResourceType Container,Object -Permission racwdlup
-$sourceFile = $sourceFile + "?" + $sas
 azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile  "C:\Users\$Env:USERNAME\.kube\config"
 
 # Downloading ArcBox-DataSvc-K3s log file
@@ -63,9 +61,6 @@ azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile  "$Env:ArcBoxLogsDir\
 # Downloading ArcBox-K3s cluster kubeconfig file
 Write-Header "Downloading ArcBox-K3s Kubeconfig"
 $sourceFile = "https://$Env:stagingStorageAccountName.blob.core.windows.net/$($Env:k3sArcClusterName.ToLower())/config"
-$context = (Get-AzStorageAccount -ResourceGroupName $Env:resourceGroup).Context
-$sas = New-AzStorageAccountSASToken -Context $context -Service Blob -ResourceType Container,Object -Permission racwdlup
-$sourceFile = $sourceFile + "?" + $sas
 azcopy cp --check-md5 FailIfDifferentOrMissing $sourceFile  "C:\Users\$Env:USERNAME\.kube\config-k3s"
 $Env:KUBECONFIG="C:\users\$Env:USERNAME\.kube\config"
 

azure_jumpstart_arcbox/artifacts/installK3s.sh

@@ -11,9 +11,6 @@ sudo echo "staginguser:ArcPassw0rd" | sudo chpasswd
 # Injecting environment variables
 echo '#!/bin/bash' >> vars.sh
 echo $adminUsername:$1 | awk '{print substr($1,2); }' >> vars.sh
-# echo $SPN_CLIENT_ID:$2 | awk '{print substr($1,2); }' >> vars.sh
-# echo $SPN_CLIENT_SECRET:$3 | awk '{print substr($1,2); }' >> vars.sh
-# echo $SPN_TENANT_ID:$4 | awk '{print substr($1,2); }' >> vars.sh
 echo $subscriptionId:$2 | awk '{print substr($1,2); }' >> vars.sh
 echo $vmName:$3 | awk '{print substr($1,2); }' >> vars.sh
 echo $location:$4 | awk '{print substr($1,2); }' >> vars.sh
@@ -25,9 +22,6 @@ echo $k3sControlPlane:$9 | awk '{print substr($1,2); }' >> vars.sh
 
 
 sed -i '2s/^/export adminUsername=/' vars.sh
-# sed -i '3s/^/export SPN_CLIENT_ID=/' vars.sh
-# sed -i '4s/^/export SPN_CLIENT_SECRET=/' vars.sh
-# sed -i '5s/^/export SPN_TENANT_ID=/' vars.sh
 sed -i '3s/^/export subscriptionId=/' vars.sh
 sed -i '4s/^/export vmName=/' vars.sh
 sed -i '5s/^/export location=/' vars.sh
@@ -50,6 +44,22 @@ sudo curl -v -o /etc/profile.d/welcomeK3s.sh ${templateBaseUrl}artifacts/welcome
 sudo -u $adminUsername mkdir -p /home/${adminUsername}/jumpstart_logs
 while sleep 1; do sudo -s rsync -a /var/lib/waagent/custom-script/download/0/installK3s.log /home/${adminUsername}/jumpstart_logs/installK3s.log; done &
 
+# Downloading azcopy
+echo ""
+echo "Downloading azcopy"
+echo ""
+wget -O azcopy.tar.gz https://aka.ms/downloadazcopy-v10-linux
+if [[ $? -ne 0 ]]; then
+    echo "ERROR: Failed to download azcopy"
+    exit 1
+fi
+
+tar -xf azcopy.tar.gz
+sudo mv azcopy_linux_amd64_*/azcopy /usr/local/bin/azcopy
+sudo chmod +x /usr/local/bin/azcopy
+# Authorize azcopy by using a system-wide managed identity
+export AZCOPY_AUTO_LOGIN_TYPE=MSI
+
 # Installing Azure CLI & Azure Arc extensions
 curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
 
@@ -126,24 +136,11 @@ if [[ "$k3sControlPlane" == "true" ]]; then
     k3sClusterNodeConfig="/home/$adminUsername/k3sClusterNodeConfig.yaml"
     echo "k3sNodeToken: $(sudo cat /var/lib/rancher/k3s/server/node-token)" >> $k3sClusterNodeConfig
     echo "k3sClusterIp: $publicIp" >> $k3sClusterNodeConfig
-    sudo -u $adminUsername az extension add --upgrade -n storage-preview
-    storageAccountRG=$(sudo -u $adminUsername az storage account show --name $stagingStorageAccountName --query 'resourceGroup' | sed -e 's/^"//' -e 's/"$//')
-    storageAccountKey=$(sudo -u $adminUsername az storage account keys list --resource-group $storageAccountRG --account-name $stagingStorageAccountName --query [0].value | sed -e 's/^"//' -e 's/"$//')
-    sudo -u $adminUsername az storage container create -n $storageContainerName --account-name $stagingStorageAccountName --account-key $storageAccountKey
-    sudo -u $adminUsername az storage azcopy blob upload --container $storageContainerName --account-name $stagingStorageAccountName --account-key $storageAccountKey --source $localPath
-    sudo -u $adminUsername az storage azcopy blob upload --container $storageContainerName --account-name $stagingStorageAccountName --account-key $storageAccountKey --source $k3sClusterNodeConfig
-
-    # # Registering Azure resource providers
-    # echo ""
-    # echo "Registering Azure resource providers"
-    # echo ""
-    # sudo -u $adminUsername az provider register --namespace 'Microsoft.Kubernetes' --wait
-    # sudo -u $adminUsername az provider register --namespace 'Microsoft.KubernetesConfiguration' --wait
-    # sudo -u $adminUsername az provider register --namespace 'Microsoft.PolicyInsights' --wait
-    # sudo -u $adminUsername az provider register --namespace 'Microsoft.ExtendedLocation' --wait
-    # sudo -u $adminUsername az provider register --namespace 'Microsoft.AzureArcData' --wait
-
-    # sudo service sshd restart
+    # Copying kubeconfig file to staging storage account
+    azcopy make "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerName"
+    azcopy cp $localPath "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerName/config"
+    azcopy cp $k3sClusterNodeConfig "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerName/k3sClusterNodeConfig.yaml"
+
     # Onboard the cluster to Azure Arc
     echo ""
     echo "Onboarding the cluster to Azure Arc"
@@ -178,18 +175,15 @@ else
     echo ""
     echo "Downloading k3s control plane details"
     echo ""
-    k3sClusterNodeConfig="k3sClusterNodeConfig.yaml"
-    sudo -u $adminUsername az extension add --upgrade -n storage-preview
-    storageAccountRG=$(sudo -u $adminUsername az storage account show --name $stagingStorageAccountName --query 'resourceGroup' | sed -e 's/^"//' -e 's/"$//')
-    storageAccountKey=$(sudo -u $adminUsername az storage account keys list --resource-group $storageAccountRG --account-name $stagingStorageAccountName --query [0].value | sed -e 's/^"//' -e 's/"$//')
-    sudo -u $adminUsername az storage azcopy blob download --container $storageContainerName --account-name $stagingStorageAccountName --account-key $storageAccountKey --source "$k3sClusterNodeConfig"  --destination "/home/$adminUsername/$k3sClusterNodeConfig"
+    k3sClusterNodeConfigYaml="k3sClusterNodeConfig.yaml"
+    azcopy cp --check-md5 FailIfDifferentOrMissing "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerName/$k3sClusterNodeConfigYaml" "/home/$adminUsername/$k3sClusterNodeConfigYaml"
 
     # Installing Rancher K3s cluster (single worker node)
     echo ""
     echo "Installing Rancher K3s cluster node"
     echo ""
-    k3sNodeToken=$(grep 'k3sNodeToken' "/home/$adminUsername/$k3sClusterNodeConfig" | awk '{print $2}')
-    k3sClusterIp=$(grep 'k3sClusterIp' "/home/$adminUsername/$k3sClusterNodeConfig" | awk '{print $2}')
+    k3sNodeToken=$(grep 'k3sNodeToken' "/home/$adminUsername/$k3sClusterNodeConfigYaml" | awk '{print $2}')
+    k3sClusterIp=$(grep 'k3sClusterIp' "/home/$adminUsername/$k3sClusterNodeConfigYaml" | awk '{print $2}')
     curl -sfL https://get.k3s.io | K3S_URL=https://${k3sClusterIp}:6443 K3S_TOKEN=${k3sNodeToken} sh -
     if [[ $? -ne 0 ]]; then
         echo "ERROR: Failed to add k3s worker nodes"
@@ -204,4 +198,4 @@ echo ""
 echo "Uploading the script logs to staging storage"
 echo ""
 log="/home/${adminUsername}/jumpstart_logs/installK3s.log"
-sudo -u $adminUsername az storage azcopy blob upload --container $storageContainerName --account-name $stagingStorageAccountName --account-key $storageAccountKey --source $log --destination "installK3s-$vmName.log"
+azcopy cp $log "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerName/installK3s-$vmName.log"

azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep

@@ -256,5 +256,16 @@ resource vmRoleAssignment_Owner 'Microsoft.Authorization/roleAssignments@2022-04
   }
 }
 
+// Add role assignment for the VM: Storage Blob Data Contributor
+resource vmRoleAssignment_Storage 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(vm.id, 'Microsoft.Authorization/roleAssignments', 'Storage Blob Data Contributor')
+  scope: resourceGroup()
+  properties: {
+    principalId: vm.identity.principalId
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+    principalType: 'ServicePrincipal'
+  }
+}
+
 output adminUsername string = windowsAdminUsername
 output publicIP string = deployBastion == false ? concat(publicIpAddress.properties.ipAddress) : ''

azure_jumpstart_arcbox/bicep/kubernetes/ubuntuRancher.bicep

@@ -148,6 +148,17 @@ resource vmRoleAssignment_Owner 'Microsoft.Authorization/roleAssignments@2022-04
   }
 }
 
+// Add role assignment for the VM: Storage Blob Data Contributor
+resource vmRoleAssignment_Storage 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(vm.id, 'Microsoft.Authorization/roleAssignments', 'Storage Blob Data Contributor')
+  scope: resourceGroup()
+  properties: {
+    principalId: vm.identity.principalId
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource vmInstallscriptK3s 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' = {
   parent: vm
   name: 'installscript_k3s'
@@ -167,5 +178,6 @@ resource vmInstallscriptK3s 'Microsoft.Compute/virtualMachines/extensions@2022-0
   }
   dependsOn: [
     vmRoleAssignment_Owner
+    vmRoleAssignment_Storage
   ]
 }

azure_jumpstart_arcbox/bicep/kubernetes/ubuntuRancherNodes.bicep

@@ -126,6 +126,17 @@ resource vmRoleAssignment_Owner 'Microsoft.Authorization/roleAssignments@2022-04
   }
 }
 
+// Add role assignment for the VM: Storage Blob Data Contributor
+resource vmRoleAssignment_Storage 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(vm.id, 'Microsoft.Authorization/roleAssignments', 'Storage Blob Data Contributor')
+  scope: resourceGroup()
+  properties: {
+    principalId: vm.identity.principalId
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+    principalType: 'ServicePrincipal'
+  }
+}
+
 resource vmInstallscriptK3s 'Microsoft.Compute/virtualMachines/extensions@2022-03-01' = {
   parent: vm
   name: 'installscript_k3s'
@@ -145,5 +156,6 @@ resource vmInstallscriptK3s 'Microsoft.Compute/virtualMachines/extensions@2022-0
   }
   dependsOn: [
     vmRoleAssignment_Owner
+    vmRoleAssignment_Storage
   ]
 }