Release Workload Identity

.github/workflows/build-push.yml

@@ -18,25 +18,25 @@ jobs:
           - name: "dev"
             ref: "refs/heads/main"
             acr-name: "radixdev"
-            client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb"
+            client-id: "9f25e2ad-13ef-4fd5-b661-ab97687d548a"
             subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
 
           - name: "playground"
             ref: "refs/heads/release"
             acr-name: "radixdev"
-            client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb"
+            client-id: "e0b5929a-ebe5-4a35-927c-97184cbed120"
             subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
 
           - name: "platform"
             ref: "refs/heads/release"
             acr-name: "radixprod"
-            client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58"
+            client-id: "1a7cba57-f0e4-48af-8520-3c98349d6465"
             subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
 
           - name: "c2"
             ref: "refs/heads/release"
             acr-name: "radixc2prod"
-            client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58"
+            client-id: "5d1aca8b-7b54-4a4d-b8ee-754b842e9fbe"
             subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
 
     steps:
@@ -50,6 +50,19 @@ jobs:
           tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
           subscription-id: ${{matrix.target.subscription-id}}
 
+      - name: Get GitHub Public IP
+        if: matrix.target.ref == github.ref
+        id: github_public_ip
+        run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
+      - name: Add GitHub IP to ACR
+        if: matrix.target.ref == github.ref
+        id: update_firewall
+        run: az acr network-rule add
+          --name ${{matrix.target.acr-name}}
+          --subscription ${{matrix.target.subscription-id}}
+          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+
       - name: Generate image tag
         if: matrix.target.ref == github.ref
         id: tag
@@ -81,3 +94,10 @@ jobs:
              --set CACHE="" \
              --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max"
 
+
+      - name: Revoke GitHub IP on ACR
+        if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+        run: az acr network-rule remove
+          --name ${{matrix.target.acr-name}}
+          --subscription ${{matrix.target.subscription-id}}
+          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}

.github/workflows/deploy-database.yml

@@ -67,6 +67,8 @@ jobs:
         with:
           connection-string: ${{env.connection}}
           path: './azure-infrastructure/sql-scripts/roles.sql'
+          arguments: '--variables RADIX_ZONE=${{matrix.target.name}}'
+
 
       - uses: azure/sql-action@v2.2.1
         if: matrix.target.ref == github.ref

azure-infrastructure/sql-scripts/roles.sql

@@ -6,4 +6,17 @@ END
 IF NOT EXISTS(SELECT 1 FROM sys.database_principals WHERE principal_id = DATABASE_PRINCIPAL_ID('radixwriter'))
 BEGIN
 	CREATE ROLE radixwriter
-END
+END
+
+
+IF NOT EXISTS(SELECT 1 FROM sys.database_principals WHERE name = 'radix-id-vulnerability-scan-writer-$(RADIX_ZONE)')
+BEGIN
+    CREATE USER [radix-id-vulnerability-scan-writer-$(RADIX_ZONE)] FROM EXTERNAL PROVIDER;
+END
+ALTER ROLE radixwriter ADD MEMBER [radix-id-vulnerability-scan-writer-$(RADIX_ZONE)]
+
+IF NOT EXISTS(SELECT 1 FROM sys.database_principals WHERE name = 'radix-id-vulnerability-scan-reader-$(RADIX_ZONE)')
+BEGIN
+    CREATE USER [radix-id-vulnerability-scan-reader-$(RADIX_ZONE)] FROM EXTERNAL PROVIDER;
+END
+ALTER ROLE radixreader ADD MEMBER [radix-id-vulnerability-scan-reader-$(RADIX_ZONE)]

charts/radix-vulnerability-scanner/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: 0.0.7
-version: 0.0.7
+appVersion: 0.1.0
+version: 0.1.0
 description: Scan images in RadixDeployments for vulnerabilities
 name: radix-vulnerability-scanner

charts/radix-vulnerability-scanner/templates/deployment.yaml

@@ -57,6 +57,9 @@ spec:
             {{- with .Values.sql.databaseName }}
             - --db-database={{ . }}
             {{- end}}
+            {{- with .Values.sql.federatedCredentials}}
+            - --db-use-federated-token=true
+            {{- end}}
             {{- with .Values.sql.userName }}
             - --db-username={{ . }}
             {{- end}}

charts/radix-vulnerability-scanner/values.yaml

@@ -26,6 +26,7 @@ sql:
   userName: ""
   # Stored in envSecret. Requires envSecret.create to be true.
   password: ""
+  federatedCredentials: ""
 
 # Defines or creates a secret that holds environment variables
 envSecret:
@@ -112,4 +113,4 @@ podSecurityContext:
 securityContext:
   privileged: false
   readOnlyRootFilesystem: false
-  allowPrivilegeEscalation: false
+  allowPrivilegeEscalation: false

go.mod

@@ -5,19 +5,19 @@ go 1.21
 toolchain go1.21.0
 
 require (
-	github.com/containerd/containerd v1.7.11
-	github.com/equinor/radix-common v1.7.1
-	github.com/equinor/radix-operator v1.48.0
+	github.com/containerd/containerd v1.7.14
+	github.com/equinor/radix-common v1.9.2
+	github.com/equinor/radix-operator v1.50.2
 	github.com/golang/mock v1.6.0
-	github.com/microsoft/go-mssqldb v1.6.0
+	github.com/microsoft/go-mssqldb v1.7.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/rs/zerolog v1.31.0
+	github.com/rs/zerolog v1.32.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.18.2
-	github.com/stretchr/testify v1.8.4
-	gorm.io/driver/sqlserver v1.5.2
-	gorm.io/gorm v1.25.5
+	github.com/stretchr/testify v1.9.0
+	gorm.io/driver/sqlserver v1.5.3
+	gorm.io/gorm v1.25.7
 	k8s.io/api v0.29.0
 	k8s.io/apimachinery v0.29.0
 	k8s.io/client-go v0.29.0
@@ -26,28 +26,34 @@ require (
 
 require (
 	dario.cat/mergo v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.1 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch v5.7.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-logr/logr v1.3.0 // indirect
-	github.com/go-openapi/jsonpointer v0.20.0 // indirect
-	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/swag v0.22.7 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/uuid v1.5.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
+	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -57,32 +63,33 @@ require (
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
-	golang.org/x/net v0.19.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
+	golang.org/x/exp v0.0.0-20231226003508-02704c960a9b // indirect
+	golang.org/x/net v0.20.0 // indirect
 	golang.org/x/oauth2 v0.15.0 // indirect
-	golang.org/x/sys v0.15.0 // indirect
-	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/term v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	google.golang.org/protobuf v1.32.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231129212854-f0671cc7e66a // indirect
+	k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect