Azure · danielscholl · May 21, 2025 · May 19, 2025 · May 20, 2025 · May 20, 2025
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -71,7 +71,7 @@ env:
   AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
   AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
   AZURE_SUBSCRIPTION_ID: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-  AZCLIVERSION: 2.63.0    # https://github.com/Azure/azure-cli/issues/29828
+  AZCLIVERSION: 2.73.0    # https://github.com/Azure/azure-cli/issues/29828
   ParamFilePath: ".github/parameters.json"
   DEPNAME: "dep${{ github.run_number }}"
 

diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -158,7 +158,7 @@ var configuration = {
 }
 
 var rg_unique_id = '${replace(configuration.name, '-', '')}${uniqueString(resourceGroup().id, configuration.name)}'
-
+var dnsName = uniqueString(resourceGroup().id, configuration.name)
 
 /*
  __   _______   _______ .__   __. .___________. __  .___________.____    ____
@@ -605,7 +605,7 @@ var vaultSecrets = [
 module keyvault 'br/public:avm/res/key-vault/vault:0.11.2' = {
   name: '${configuration.name}-keyvault'
   params: {
-    name: length(name) > 24 ? substring(name, 0, 24) : name
+    name: length(name) > 17 ? substring(name, 0, 17) : name
     location: location
     enableTelemetry: enableTelemetry
 
@@ -940,7 +940,7 @@ module gitOpsUpload 'br/public:avm/res/resources/deployment-script:0.5.1' = [for
     runOnce: true
 
     managedIdentities: {
-      userAssignedResourcesIds: [
+      userAssignedResourceIds: [
         stampIdentity.outputs.resourceId
       ]
     }
@@ -1051,6 +1051,8 @@ module configBlade 'modules/blade_configuration.bicep' = {
 
     location: location
 
+    dnsName: dnsName
+
     osduVersion: clusterSoftware.osduVersion == '' ? 'master' : clusterSoftware.osduVersion
     enableSoftwareLoad: clusterSoftware.enable == 'false' ? false : true
     enableOsduCore: clusterSoftware.osduCore == 'false' ? false : true

diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json
@@ -2,6 +2,9 @@
   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
+    "location": {
+      "value": "${AZURE_LOCATION}"
+    },
     "applicationClientId": {
       "value": "${AZURE_CLIENT_ID}"
     },

diff --git a/bicep/modules/blade_configuration.bicep b/bicep/modules/blade_configuration.bicep
@@ -11,6 +11,9 @@ param location string
 @description('The tags to apply to the resources')
 param tags object = {}
 
+@description('The unique identifier for the deployment')
+param dnsName string
+
 @description('The name of the Key Vault where the secret exists')
 param kvName string
 
@@ -407,6 +410,9 @@ values.yaml: |
     appOid: {7}
     resourceGroup: {8}
     storageAccountName: {11}
+    subscription: {12}
+    aksName: {13}
+    dnsName: {14}
   ingress:
     internalGateway:
       enabled: {9}
@@ -452,7 +458,10 @@ module appConfigMap './aks-config-map/main.bicep' = {
              resourceGroup().name,
              clusterIngress == 'Internal' || clusterIngress == 'Both' ? 'true' : 'false',
              clusterIngress == 'External' || clusterIngress == 'Both' ? 'true' : 'false',
-             storageAccountName)
+             storageAccountName,
+             subscription().subscriptionId,
+             clusterName,
+             dnsName)
     ]
   }
 }

diff --git a/bicep/modules/blade_partition.bicep b/bicep/modules/blade_partition.bicep
@@ -648,7 +648,7 @@ var topicsWithSubscriptions = [for topic in partitionLayerConfig.servicebus.topi
 }]
 
 // Then use this variable in the module
-module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.9.1' = [for (partition, index) in partitions:  {
+module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.14.1' = [for (partition, index) in partitions:  {
   name: '${bladeConfig.sectionName}-service-bus-${index}'
   params: {
     name: '${replace('data${index}${substring(uniqueString(partition.name), 0, 6)}', '-', '')}${uniqueString(resourceGroup().id, 'data${index}${substring(uniqueString(partition.name), 0, 6)}')}'
@@ -680,6 +680,16 @@ module partitonNamespace 'br/public:avm/res/service-bus/namespace:0.9.1' = [for
 
     disableLocalAuth: false
 
+    roleAssignments: [
+      {
+        name: guid('Custom seed ${bladeConfig.sectionName}')
+        principalId: stampIdentity.properties.principalId
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'Azure Service Bus Data Receiver'
+      }
+
+    ]
+
     authorizationRules: [
       {
         name: 'RootManageSharedAccessKey'

diff --git a/charts/dns-configuration/Chart.yaml b/charts/dns-configuration/Chart.yaml
@@ -0,0 +1,27 @@
+apiVersion: v2
+name: dns-configuration
+description: A Helm chart for configuring DNS labels on AKS LoadBalancer IPs
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 0.0.1
+
+maintainers:
+  - name: Microsoft OSDU
+    url: https://github.com/Azure/osdu-developer
diff --git a/charts/dns-configuration/README.md b/charts/dns-configuration/README.md
@@ -0,0 +1,110 @@
+# DNS Configuration Helm Chart
+
+This chart configures DNS labels for Azure Kubernetes Service (AKS) LoadBalancer IPs, enabling automatic FQDN assignment for OSDU services.
+
+--------------------------------------------------------------------------------
+## Prerequisites
+
+- Azure Kubernetes Service (AKS) cluster with workload identity enabled
+- Istio service mesh deployed
+- Azure CLI and kubectl access configured
+
+--------------------------------------------------------------------------------
+## Install Process
+
+Either manually modify the `values.yaml` for the chart or generate a `custom_values.yaml` to use.
+
+_The following commands can help generate a prepopulated custom values file._
+
+```bash
+# Setup Variables
+GROUP=<your_resource_group>
+
+SUBSCRIPTION=$(az account show --query id -otsv)
+AKS_NAME=$(az aks list --resource-group $GROUP --query "[0].name" -otsv)
+
+cat > custom_values.yaml << EOF
+################################################################################
+# Azure environment specific values
+#
+azure:
+  tenantId: $(az account show --query tenantId -otsv)
+  clientId: $(az identity list --resource-group $GROUP --query "[?contains(name, 'osdu-identity')].clientId" -otsv)
+  configEndpoint: $(az appconfig list --resource-group $GROUP --query "[0].endpoint" -otsv)
+  keyvaultName: $(az keyvault list --resource-group $GROUP --query "[0].name" -otsv)
+  keyvaultUri: $(az keyvault list --resource-group $GROUP --query "[0].properties.vaultUri" -otsv)
+  subscription: $SUBSCRIPTION
+  resourceGroup: $GROUP
+  aksName: $AKS_NAME
+EOF
+```
+
+--------------------------------------------------------------------------------
+## Manual Testing
+
+Test the chart locally:
+
+```bash
+helm template dns-configuration . -f custom_values.yaml
+```
+
+--------------------------------------------------------------------------------
+## Install Helm Chart
+
+```bash
+# Create the release in the osdu-system namespace where the ServiceAccount exists
+NAMESPACE=osdu-system
+helm upgrade --install dns-configuration . -n $NAMESPACE -f custom_values.yaml
+
+# For testing with custom values
+helm upgrade --install dns-configuration . -n $NAMESPACE \
+  --set azure.subscription=$(az account show --query id -otsv) \
+  --set azure.aksName="$(az aks list --query "[0].name" -otsv)"
+
+# Verify the job completed
+kubectl get jobs -n $NAMESPACE
+kubectl get pods -n $NAMESPACE | grep dns-configuration
+
+# Check job logs
+POD_NAME=$(kubectl get pods -n $NAMESPACE -l app.kubernetes.io/name=dns-configuration -o jsonpath='{.items[0].metadata.name}')
+kubectl logs $POD_NAME -n $NAMESPACE
+
+# Check the created ConfigMap
+kubectl get configmap dns-config -n $NAMESPACE -o yaml
+```
+
+--------------------------------------------------------------------------------
+## Uninstall
+
+```bash
+# Uninstall the release
+helm uninstall dns-configuration -n $NAMESPACE
+
+# Manually clean up ConfigMap if needed
+kubectl delete configmap dns-config -n $NAMESPACE
+```
+
+--------------------------------------------------------------------------------
+## Configuration Options
+
+| Parameter                | Description                              | Default                |
+|--------------------------|------------------------------------------|------------------------|
+| `serviceAccount.create`  | Create a new service account             | `false`                |
+| `serviceAccount.name`    | Service account name to use              | `workload-identity-sa` |
+| `azure.tenantId`         | Azure tenant ID                          | `<your_tenant_id>`     |
+| `azure.clientId`         | Azure client ID for workload identity    | `<your_client_id>`     |
+| `azure.subscription`     | Azure subscription ID                    | `<your_subscription_id>` |
+| `azure.resourceGroup`    | Resource group containing the AKS cluster| `<your_resource_group>` |
+| `azure.aksName`          | AKS cluster name                         | `<your_aks_cluster_name>` |
+| `azure.uniqueId`         | Unique ID for the cluster                | `""`                  |
+
+--------------------------------------------------------------------------------
+## Output
+
+The chart creates a ConfigMap named `dns-config` in the release namespace containing:
+
+- `external_ip`: The LoadBalancer external IP address
+- `fqdn`: The fully qualified domain name
+- `dns_label`: The DNS label assigned
+
+Other services can reference this ConfigMap to obtain the FQDN for certificate generation and gateway configuration.
diff --git a/charts/dns-configuration/templates/_helpers.tpl b/charts/dns-configuration/templates/_helpers.tpl
@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dns-configuration.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dns-configuration.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dns-configuration.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "dns-configuration.labels" -}}
+helm.sh/chart: {{ include "dns-configuration.chart" . }}
+{{ include "dns-configuration.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dns-configuration.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dns-configuration.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dns-configuration.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dns-configuration.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/dns-configuration/templates/clusterrole.yaml b/charts/dns-configuration/templates/clusterrole.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: dns-config-job-cluster-reader
+rules:
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dns-config-job-cluster-reader-binding
+subjects:
+- kind: ServiceAccount
+  name: workload-identity-sa
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dns-config-job-cluster-reader
+  apiGroup: rbac.authorization.k8s.io