[draft] setting up event grid namespaces infrastructure and access

this PR introduces a bicep template to create an Azure Event Grid Namespaces instance in the same RG as the AKS cluster for development purposes. this template implements certificate based authn and topic template based authz as proposed in SD-DDR-0024. entra based authn/z is under investigation and first results can be found here - https://issues.redhat.com/browse/ARO-7244 this PR incomplete and lacks deployment scripts for a Maestro Server and Agent interacting with Event Grid. this will be added soon. Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Apr 30, 2024 · 8519aac · 8519aac
1 parent 6e3fe7c
commit 8519aac
Show file tree

Hide file tree

Showing 6 changed files with 197 additions and 1 deletion.
diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile
@@ -37,7 +37,14 @@ rg: setsubscription
   		--location $(LOCATION) \
 		--tags "CreatedByConfig=${AKSCONFIG}"
 
+dev.maestro.certs:
+	openssl req -x509 -newkey rsa:4096 -keyout secrets/maestro-server-key.pem -out secrets/maestro-server-cert.pem -days 365 -nodes -subj "/CN=maestro-server"
+	openssl req -x509 -newkey rsa:4096 -keyout secrets/consumer-key.pem -out secrets/consumer-cert.pem -days 365 -nodes -subj "/CN=maestro-consumer-1"
+
+
 dev.infrastructure: setsubscription rg
+	$(eval MAESTRO_SERVER_CERT_THUMBPRINT := $(shell openssl x509 -in secrets/maestro-server-cert.pem -noout -fingerprint 2>/dev/null | cut -d '=' -f 2 | tr -d ':'))
+	$(eval MAESTRO_CONSUMER_CERT_THUMBPRINT := $(shell openssl x509 -in secrets/consumer-cert.pem -noout -fingerprint 2>/dev/null | cut -d '=' -f 2 | tr -d ':'))
 	az deployment group create \
 		--name "$(DEPLOYMENTNAME)-dev-infra" \
 		--resource-group $(RESOURCEGROUP) \
@@ -46,7 +53,9 @@ dev.infrastructure: setsubscription rg
 		--parameters \
 			configurations/${AKSCONFIG}.bicepparam \
 		--parameters \
-			currentUserId=$(CURRENTUSER)
+			currentUserId=$(CURRENTUSER) \
+			maestroServerCertThumbprint=$(MAESTRO_SERVER_CERT_THUMBPRINT) \
+			maestroConsumerCertThumbprint=$(MAESTRO_CONSUMER_CERT_THUMBPRINT)
 
 aks.kubeconfig:
 	az aks get-credentials -n aro-hcp-cluster-001 -g $(RESOURCEGROUP) -a -f aks.kubeconfig

diff --git a/dev-infrastructure/configurations/private.bicepparam b/dev-infrastructure/configurations/private.bicepparam
@@ -10,3 +10,5 @@ param createdByConfigTag = 'private'
 
 // This parameter is always overriden in the Makefile
 param currentUserId = ''
+param maestroServerCertThumbprint = ''
+param maestroConsumerCertThumbprint = ''
diff --git a/dev-infrastructure/configurations/public.bicepparam b/dev-infrastructure/configurations/public.bicepparam
@@ -10,3 +10,5 @@ param createdByConfigTag = 'public'
 
 // This parameter is always overriden in the Makefile
 param currentUserId = ''
+param maestroServerCertThumbprint = ''
+param maestroConsumerCertThumbprint = ''
diff --git a/dev-infrastructure/docs/development-setup.md b/dev-infrastructure/docs/development-setup.md
@@ -11,6 +11,14 @@ The idea of this repo is to provide means to create a development environment th
 
 ## Procedure
 
+1. (optional) Prepare Event Grid Certificates
+
+   If you want Event Grid Infrastructure to be provisioned along with the AKS cluster, create some certicates for the Maestro Server and an Agent upfront.
+
+   ```bash
+   AKSCONFIG=private make dev.maestro.certs
+   ```
+
 1. Provision a Public/Private AKS cluster
 
    ```bash

diff --git a/dev-infrastructure/templates/aks-development.bicep b/dev-infrastructure/templates/aks-development.bicep
@@ -305,3 +305,20 @@ module nestedPeeringTemplate './rp-cosmos.bicep' =
       disableLocalAuth: disableLocalAuth
     }
   }
+
+@description('The thumbprint for the Maestro Server certificate.')
+param maestroServerCertThumbprint string
+
+@description('The thumbprint for the Maestro Consumer certificate.')
+param maestroConsumerCertThumbprint string
+
+module maestroEventGridTemplate './maestro-eventgrid.bicep' =
+  if (maestroServerCertThumbprint != '' && maestroConsumerCertThumbprint != '') {
+    name: 'maestro-eventgrid'
+    scope: resourceGroup()
+    params: {
+      location: location
+      serverCertThumbprint: maestroServerCertThumbprint
+      agentCertThumbprint: maestroConsumerCertThumbprint
+    }
+  }
diff --git a/dev-infrastructure/templates/maestro-eventgrid.bicep b/dev-infrastructure/templates/maestro-eventgrid.bicep
@@ -0,0 +1,158 @@
+param eventGridNamespaceName string = '${resourceGroup().name}-maestro-eventgrid'
+param location string
+
+param serverCertThumbprint string
+param agentCertThumbprint string
+
+
+// create an event grid namespace with MQTT enabled
+resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2023-12-15-preview' = {
+  name: eventGridNamespaceName
+  location: location
+  sku: {
+    name: 'Standard'
+  }
+  properties: {
+    publicNetworkAccess: 'Enabled'
+    topicSpacesConfiguration: {
+      state: 'Enabled'
+    }
+  }
+}
+
+//
+//   M A E S T R O   S E R V E R
+//
+
+resource maestroServerMqttClient 'Microsoft.EventGrid/namespaces/clients@2023-12-15-preview' = {
+  name: 'maestro-server'
+  parent: eventGridNamespace
+  properties: {
+    authenticationName: 'maestro-server'
+    attributes: {
+      role: 'server'
+    }
+    clientCertificateAuthentication: {
+      allowedThumbprints: [
+        serverCertThumbprint
+      ]
+      validationScheme: 'ThumbprintMatch'
+    }
+    state: 'Enabled'
+  }
+}
+
+// a client group to hold the maestro server client
+resource maestroServerMqttClientGroup 'Microsoft.EventGrid/namespaces/clientGroups@2023-12-15-preview' = {
+  name: 'maestro-server'
+  parent: eventGridNamespace
+  properties: {
+    query: 'attributes.role IN [\'server\']'
+  }
+}
+
+// create a topic space for the maestro server
+resource maestroServerTopicspace 'Microsoft.EventGrid/namespaces/topicSpaces@2023-12-15-preview' = {
+  name: 'maestro-server'
+  parent: eventGridNamespace
+  properties: {
+    topicTemplates: [
+      '*'
+    ]
+  }
+}
+
+resource maestroServerPermissionBindingPublish 'Microsoft.EventGrid/namespaces/permissionBindings@2023-12-15-preview' = {
+  name: 'maestroServerPublish'
+  parent: eventGridNamespace
+  properties: {
+    clientGroupName: maestroServerMqttClientGroup.name
+    permission: 'Publisher'
+    topicSpaceName: maestroServerTopicspace.name
+  }
+}
+
+resource maestroServerPermissionBindingSubscribe 'Microsoft.EventGrid/namespaces/permissionBindings@2023-12-15-preview' = {
+  name: 'maestroServerSubscribe'
+  parent: eventGridNamespace
+  properties: {
+    clientGroupName: maestroServerMqttClientGroup.name
+    permission: 'Subscriber'
+    topicSpaceName: maestroServerTopicspace.name
+  }
+}
+
+
+//
+//   M A E S T R O   A G E N T
+//
+
+resource maestroAgentMqttClient 'Microsoft.EventGrid/namespaces/clients@2023-12-15-preview' = {
+  name: 'maestro-agent'
+  parent: eventGridNamespace
+  properties: {
+    authenticationName: 'consumer-1'
+    attributes: {
+      role: 'agent'
+      consumerName: 'consumer-1'
+    }
+    clientCertificateAuthentication: {
+      allowedThumbprints: [
+        agentCertThumbprint
+      ]
+      validationScheme: 'ThumbprintMatch'
+    }
+    state: 'Enabled'
+  }
+}
+
+// a client group to hold the maestro server client
+resource maestroAgentMqttClientGroup 'Microsoft.EventGrid/namespaces/clientGroups@2023-12-15-preview' = {
+  name: 'maestro-agent'
+  parent: eventGridNamespace
+  properties: {
+    query: 'attributes.role IN [\'agent\']'
+  }
+}
+
+// create a topic space for agent source events
+resource maestroAgentSourceEventsTopicspace 'Microsoft.EventGrid/namespaces/topicSpaces@2023-12-15-preview' = {
+  name: 'maestro-agent-source-events'
+  parent: eventGridNamespace
+  properties: {
+    topicTemplates: [
+      'sources/maestro/consumers/{client.properties.consumerName}/sourceevents'
+    ]
+  }
+}
+
+resource maestroAgentSourceEventsPermissions 'Microsoft.EventGrid/namespaces/permissionBindings@2023-12-15-preview' = {
+  name: 'maestroAgentSubscriber'
+  parent: eventGridNamespace
+  properties: {
+    clientGroupName: maestroServerMqttClientGroup.name
+    permission: 'Subscriber'
+    topicSpaceName: maestroAgentSourceEventsTopicspace.name
+  }
+}
+
+// create a topic space for agent events
+resource maestroAgentEventsTopicspace 'Microsoft.EventGrid/namespaces/topicSpaces@2023-12-15-preview' = {
+  name: 'maestro-agent-events'
+  parent: eventGridNamespace
+  properties: {
+    topicTemplates: [
+      'sources/maestro/consumers/{client.properties.consumerName}/sourceevents'
+    ]
+  }
+}
+
+resource maestroAgentEventsPermissions 'Microsoft.EventGrid/namespaces/permissionBindings@2023-12-15-preview' = {
+  name: 'maestroAgentPublisher'
+  parent: eventGridNamespace
+  properties: {
+    clientGroupName: maestroServerMqttClientGroup.name
+    permission: 'Publisher'
+    topicSpaceName: maestroAgentEventsTopicspace.name
+  }
+}