@meshxdata/fops 0.1.45 → 0.1.47

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-network.js

@@ -0,0 +1,296 @@
+/**
+ * azure-aks-network.js - Network access, CIDR, and VNet operations
+ *
+ * Depends on: azure-aks-naming.js
+ */
+
+import { OK, WARN, ERR, DIM, hint, banner, kvLine, lazyExeca, ensureAzCli, ensureAzAuth, fetchMyIp, subArgs } from "./azure.js";
+import { parseCidr, cidrOverlaps } from "./azure-aks-naming.js";
+import { requireCluster } from "./azure-aks-state.js";
+
+// ── API Server IP reconciliation ──────────────────────────────────────────────
+
+export async function reconcileApiServerIp(ctx) {
+  const { execa, clusterName, rg, sub, cluster } = ctx;
+  const myIp = await fetchMyIp();
+  if (!myIp) return;
+
+  const ranges = cluster.apiServerAccessProfile?.authorizedIpRanges || [];
+  if (ranges.length === 0) {
+    hint(`Scoping API server to ${myIp}…`);
+    await execa("az", [
+      "aks", "update", "-g", rg, "-n", clusterName,
+      "--api-server-authorized-ip-ranges", `${myIp}/32`,
+      "--output", "none", ...subArgs(sub),
+    ], { timeout: 120000 });
+    console.log(OK(`  ✓ API server scoped to ${myIp}/32`));
+  } else if (!ranges.some(r => r.startsWith(myIp))) {
+    const updated = [...ranges, `${myIp}/32`].join(",");
+    hint(`Adding ${myIp} to authorized IP ranges…`);
+    await execa("az", [
+      "aks", "update", "-g", rg, "-n", clusterName,
+      "--api-server-authorized-ip-ranges", updated,
+      "--output", "none", ...subArgs(sub),
+    ], { timeout: 120000 });
+    console.log(OK(`  ✓ API server ranges updated (${ranges.length + 1} IPs)`));
+  } else {
+    console.log(OK(`  ✓ API server already includes ${myIp}`));
+  }
+}
+
+// ── Standalone whitelist-me command ──────────────────────────────────────────
+
+export async function aksWhitelistMe(opts = {}) {
+  const execa = await lazyExeca();
+  const sub = opts.profile;
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: sub });
+
+  const cluster = requireCluster(opts.clusterName);
+  const { clusterName, resourceGroup: rg } = cluster;
+
+  const myIp = await fetchMyIp();
+  if (!myIp) {
+    console.error(ERR("\n  Could not detect your public IP address.\n"));
+    process.exit(1);
+  }
+
+  hint(`Checking API server authorized IP ranges for ${clusterName}…`);
+
+  const { stdout: clusterJson, exitCode } = await execa("az", [
+    "aks", "show", "-g", rg, "-n", clusterName, "--output", "json", ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  if (exitCode !== 0) {
+    console.error(ERR(`\n  Failed to query cluster ${clusterName}\n`));
+    process.exit(1);
+  }
+
+  const clusterData = JSON.parse(clusterJson);
+  const ranges = clusterData.apiServerAccessProfile?.authorizedIpRanges || [];
+  const myCidr = `${myIp}/32`;
+
+  if (ranges.length === 0) {
+    hint(`Scoping API server to ${myIp}…`);
+    const { exitCode: upCode } = await execa("az", [
+      "aks", "update", "-g", rg, "-n", clusterName,
+      "--api-server-authorized-ip-ranges", myCidr,
+      "--output", "none", ...subArgs(sub),
+    ], { reject: false, timeout: 120000 });
+    if (upCode !== 0) {
+      console.error(ERR(`\n  Failed to update API server authorized IP ranges\n`));
+      process.exit(1);
+    }
+    console.log(OK(`\n  ✓ API server scoped to ${myCidr}\n`));
+  } else if (ranges.some(r => r.startsWith(myIp))) {
+    console.log(OK(`\n  ✓ ${myCidr} is already whitelisted for API server on ${clusterName}\n`));
+  } else {
+    const updated = [...ranges, myCidr].join(",");
+    hint(`Adding ${myIp} to authorized IP ranges (${ranges.length} existing)…`);
+    const { exitCode: upCode } = await execa("az", [
+      "aks", "update", "-g", rg, "-n", clusterName,
+      "--api-server-authorized-ip-ranges", updated,
+      "--output", "none", ...subArgs(sub),
+    ], { reject: false, timeout: 120000 });
+    if (upCode !== 0) {
+      console.error(ERR(`\n  Failed to update API server authorized IP ranges\n`));
+      process.exit(1);
+    }
+    console.log(OK(`\n  ✓ API server whitelisted for ${myCidr} on ${clusterName}\n`));
+    console.log(`  Authorized IPs: ${[...ranges, myCidr].join(", ")}\n`);
+  }
+}
+
+// ── Network access configuration (Key Vault, Storage) ─────────────────────────
+
+export async function reconcileNetworkAccess(ctx) {
+  const { execa, clusterName, rg, sub, cluster, opts } = ctx;
+  const nodeRg = cluster.nodeResourceGroup;
+
+  if (!nodeRg) {
+    console.log(WARN("  ⚠ Cannot configure network access — nodeResourceGroup not found"));
+    return;
+  }
+
+  // Find the AKS VNet and subnet
+  const { stdout: vnetJson } = await execa("az", [
+    "network", "vnet", "list", "-g", nodeRg, "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000, reject: false });
+
+  const vnets = JSON.parse(vnetJson || "[]");
+  if (vnets.length === 0) {
+    console.log(WARN("  ⚠ No VNet found in node resource group"));
+    return;
+  }
+
+  const vnet = vnets[0];
+  const aksSubnet = vnet.subnets?.find(s => s.name === "aks-subnet") || vnet.subnets?.[0];
+  if (!aksSubnet) {
+    console.log(WARN("  ⚠ No subnet found in AKS VNet"));
+    return;
+  }
+
+  const vnetName = vnet.name;
+  const subnetName = aksSubnet.name;
+  const subnetId = aksSubnet.id;
+
+  banner("Network Access Configuration");
+  kvLine("VNet", DIM(`${vnetName} (${nodeRg})`));
+  kvLine("Subnet", DIM(subnetName));
+
+  // 1. Add service endpoints to subnet
+  const existingEndpoints = (aksSubnet.serviceEndpoints || []).map(e => e.service);
+  const neededEndpoints = ["Microsoft.KeyVault", "Microsoft.Storage"];
+  const missingEndpoints = neededEndpoints.filter(e => !existingEndpoints.includes(e));
+
+  if (missingEndpoints.length > 0) {
+    hint(`Adding service endpoints: ${missingEndpoints.join(", ")}...`);
+    const allEndpoints = [...new Set([...existingEndpoints, ...neededEndpoints])];
+
+    const { exitCode: seCode, stderr: seErr } = await execa("az", [
+      "network", "vnet", "subnet", "update",
+      "-g", nodeRg,
+      "--vnet-name", vnetName,
+      "-n", subnetName,
+      "--service-endpoints", ...allEndpoints,
+      "--output", "none",
+      ...subArgs(sub),
+    ], { timeout: 120000, reject: false });
+
+    if (seCode !== 0) {
+      console.log(WARN(`  ⚠ Service endpoints: ${(seErr || "").split("\n")[0]}`));
+    } else {
+      console.log(OK(`  ✓ Service endpoints added: ${missingEndpoints.join(", ")}`));
+    }
+  } else {
+    console.log(OK("  ✓ Service endpoints already configured"));
+  }
+
+  // 2. Configure Key Vault network access
+  const kvNameVal = opts.keyvault || `fops-${clusterName}-kv`;
+  const { exitCode: kvExists } = await execa("az", [
+    "keyvault", "show", "--name", kvNameVal, "--output", "none", ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+
+  if (kvExists === 0) {
+    hint(`Configuring Key Vault "${kvNameVal}" network access...`);
+
+    // Add VNet rule
+    const { exitCode: kvRuleCode } = await execa("az", [
+      "keyvault", "network-rule", "add",
+      "--name", kvNameVal,
+      "--subnet", subnetId,
+      "--output", "none",
+      ...subArgs(sub),
+    ], { timeout: 60000, reject: false });
+
+    if (kvRuleCode === 0) {
+      console.log(OK(`  ✓ Key Vault VNet rule added`));
+    }
+
+    // Set default action to Deny (private)
+    const { exitCode: kvDenyCode } = await execa("az", [
+      "keyvault", "update",
+      "--name", kvNameVal,
+      "--default-action", "Deny",
+      "--bypass", "AzureServices",
+      "--output", "none",
+      ...subArgs(sub),
+    ], { timeout: 60000, reject: false });
+
+    if (kvDenyCode === 0) {
+      console.log(OK(`  ✓ Key Vault set to private`));
+    }
+  } else {
+    console.log(DIM(`  · Key Vault "${kvNameVal}" not found — skipping`));
+  }
+
+  // 3. Configure Storage Account network access
+  const { stdout: storageJson } = await execa("az", [
+    "storage", "account", "list", "-g", rg, "--output", "json", ...subArgs(sub),
+  ], { timeout: 30000, reject: false });
+
+  const storageAccounts = JSON.parse(storageJson || "[]");
+  for (const sa of storageAccounts) {
+    const saName = sa.name;
+    hint(`Configuring Storage Account "${saName}" network access...`);
+
+    // Add VNet rule
+    const { exitCode: saRuleCode } = await execa("az", [
+      "storage", "account", "network-rule", "add",
+      "--account-name", saName,
+      "-g", rg,
+      "--subnet", subnetId,
+      "--output", "none",
+      ...subArgs(sub),
+    ], { timeout: 60000, reject: false });
+
+    if (saRuleCode === 0) {
+      console.log(OK(`  ✓ Storage "${saName}" VNet rule added`));
+    }
+
+    // Set default action to Deny (private)
+    const { exitCode: saDenyCode } = await execa("az", [
+      "storage", "account", "update",
+      "--name", saName,
+      "-g", rg,
+      "--default-action", "Deny",
+      "--bypass", "AzureServices",
+      "--output", "none",
+      ...subArgs(sub),
+    ], { timeout: 60000, reject: false });
+
+    if (saDenyCode === 0) {
+      console.log(OK(`  ✓ Storage "${saName}" set to private`));
+    }
+  }
+}
+
+// ── Find available subnet CIDR ────────────────────────────────────────────────
+
+export async function findAvailableSubnetCidr(execa, nodeRg, vnetName, vnetPrefix, sub) {
+  let existingCidrs = [];
+  try {
+    const { stdout } = await execa("az", [
+      "network", "vnet", "subnet", "list",
+      "-g", nodeRg, "--vnet-name", vnetName, "--output", "json",
+      ...subArgs(sub),
+    ], { timeout: 15000 });
+    const subnets = JSON.parse(stdout || "[]");
+    existingCidrs = subnets.flatMap(s => s.addressPrefix ? [s.addressPrefix] : (s.addressPrefixes || []));
+  } catch (err) {
+    console.log(WARN(`  ⚠ Could not list existing subnets: ${err.message}`));
+  }
+
+  const { start: vnetStart, end: vnetEnd } = parseCidr(vnetPrefix);
+
+  // Scan /24 blocks from the top of the VNet range downward to avoid
+  // collisions with AKS's default low-range subnets (often a wide /16).
+  const blockSize = 256;
+  const topBlock = (vnetEnd - blockSize + 1) >>> 0;
+  let iterations = 0;
+  for (let addr = topBlock; addr >= vnetStart && iterations < 4096; addr = (addr - blockSize) >>> 0, iterations++) {
+    const o1 = (addr >>> 24) & 0xFF;
+    const o2 = (addr >>> 16) & 0xFF;
+    const o3 = (addr >>> 8) & 0xFF;
+    const candidate = `${o1}.${o2}.${o3}.0/24`;
+    if (!cidrOverlaps(candidate, existingCidrs)) return candidate;
+    if (addr === 0) break;
+  }
+
+  throw new Error(
+    `No available /24 subnet in VNet ${vnetName} (${vnetPrefix}). ` +
+    `Existing subnets: ${existingCidrs.join(", ")}. Free a subnet or expand the VNet address space.`
+  );
+}
+
+// ── Find AKS VNet ─────────────────────────────────────────────────────────────
+
+export async function findAksVnet(execa, { nodeRg, sub }) {
+  const { stdout } = await execa("az", [
+    "network", "vnet", "list",
+    "--resource-group", nodeRg,
+    "--query", "[0].name", "-o", "tsv", ...subArgs(sub),
+  ], { reject: false, timeout: 15000 });
+  return (stdout || "").trim();
+}