Refactor certificate configuration functions to make things less comp…

…licated.

Refractor verify_roles to fit with new certificate functions.

Add references to azsecd scan
Move azsecd config file creation out of certificate configuration.

Use seq in for loop while retrying commands, providing simplification.

pkg/deploy/generator/scripts/util-common.sh

@@ -2,15 +2,21 @@
 # Internal Functions and Constants
 
 # empty_str - constant; used by functions for optional nameref string arguements
+# empty_str=""
 # shellcheck disable=SC2034
 declare -r empty_str=""
 
-# role_gateway is used to determine which VMSS is being bootstrapped
+# role_gateway - constant; Is used to determine which VMSS is being bootstrapped
 # this should be referenced by scripts sourcing this file
+# role_gateway="gateway"
 declare -r role_gateway="gateway"
-# role_rp is used to determine which VMSS is being bootstrapped
+# role_rp - constant; Is used to determine which VMSS is being bootstrapped
 # this should be referenced by scripts sourcing this file
+# role_rp="rp"
 declare -r role_rp="rp"
+# role_devproxy - constant; Is used to determine which VMSS is being bootstrapped
+# role_devproxy="devproxy"
+declare -r role_devproxy="devproxy"
 
 # log is a wrapper for echo that includes the function name
 # Args
@@ -59,19 +65,17 @@ retry() {
     local -n wait_time="$2"
     local -ri retries="${3:-5}"
 
-    for attempt in {1..5}; do
+
+    for attempt in $(seq 1 $retries); do
         log "attempt #${attempt} - ${FUNCNAME[2]}"
         # shellcheck disable=SC2068
         ${cmd_retry[@]} &
 
-        wait $! && break
-        if [ "${attempt}" -le "$retries" ]; then
-            sleep "$wait_time"
-        else
-            # TODO remove packages from this error
-            abort "attempt #${attempt} - Failed to update packages"
-        fi
+        wait -f $! && return 0
+        sleep "$wait_time"
     done
+
+    abort "${cmd_retry[*]} failed after #$retries attempts"
 }
 
 # verify_role
@@ -85,7 +89,7 @@ verify_role() {
     allowed_roles_glob="($role_rp|$role_gateway)"
     if $certs; then
         # remove trailing ")" and append additional role
-        allowed_roles_glob="${allowed_roles_glob%\)*}|devproxy)"
+        allowed_roles_glob="${allowed_roles_glob%\)*}|$role_devproxy)"
     fi
 
     if [[ "$test_role" =~ $allowed_roles_glob ]]; then

pkg/deploy/generator/scripts/util-services.sh

@@ -654,17 +654,19 @@ configure_vmss_aro_services() {
 
     if [ "$r" == "$role_gateway" ]; then
         configure_service_aro_gateway "${images["rp"]}" "$1" "${configs["gateway_config"]}" "${configs["network"]}"
+        configure_certs_gateway
     elif [ "$r" == "$role_rp" ]; then
         configure_service_aro_rp "${images["rp"]}" "$1" "${configs["rp_config"]}" "${configs["network"]}"
         configure_service_aro_monitor "${images["rp"]}" "${configs["network"]}"
         configure_service_aro_portal "${images["rp"]}" "${configs["network"]}"
+        configure_certs_rp
     fi
 
     configure_service_fluentbit "${configs["fluentbit"]}" "${images["fluentbit"]}" "${configs["network"]}"
     configure_service_mdm "$1" "${images["mdm"]}" "${configs["network"]}"
     configure_service_mdsd "$1" "${configs["mdsd"]}"
-    configure_certs "$1"
     configure_timers_mdm_mdsd "$1"
+    run_azsecd_config_scan
 }
 
 util_common="util-common.sh"

pkg/deploy/generator/scripts/util-system.sh

@@ -206,43 +206,61 @@ pull_container_images() {
     retry cmd retry_time
 }
 
-# configure_certs
-# args:
-# 1) role - string; can be "devproxy" or "rp"
-configure_certs() {
-    local -n role="$1"
+configure_certs_general() {
     log "starting"
-    log "Configuring certificates for $role"
-
-    verify_role role true
-
-    if [ "$role" == "devproxy" ]; then
-        local -r proxy_certs_basedir="/etc/proxy"
-        mkdir -p "$proxy_certs_basedir"
-        base64 -d <<<"$PROXYCERT" > "$proxy_certs_basedir/proxy.crt"
-        base64 -d <<<"$PROXYKEY" > "$proxy_certs_basedir/proxy.key"
-        base64 -d <<<"$PROXYCLIENTCERT" > "$proxy_certs_basedir/proxy-client.crt"
-        chown -R 1000:1000 /etc/proxy
-        chmod 0600 "$proxy_certs_basedir/proxy.key"
-        return 0
-    fi
-
-    if [ "$role" == "rp" ]; then
-        local -r rp_certs_basedir="/etc/aro-rp"
-        mkdir -p "$rp_certs_basedir"
-        base64 -d <<<"$ADMINAPICABUNDLE" > "$rp_certs_basedir/admin-ca-bundle.pem"
-        if [[ -n "$ARMAPICABUNDLE" ]]; then
-        base64 -d <<<"$ARMAPICABUNDLE" > "$rp_certs_basedir/arm-ca-bundle.pem"
-        fi
-        chown -R 1000:1000 "$rp_certs_basedir"
-    fi
 
     # setting MONITORING_GCS_AUTH_ID_TYPE=AuthKeyVault seems to have caused mdsd not
     # to honour SSL_CERT_FILE any more, heaven only knows why.
     local -r ssl_certs_basedir="/usr/lib/ssl/certs"
     mkdir -p "$ssl_certs_basedir"
     csplit -f "$ssl_certs_basedir/cert-" -b %03d.pem /etc/pki/tls/certs/ca-bundle.crt /^$/1 "{*}" 1>/dev/null
     c_rehash "$ssl_certs_basedir"
+}
+
+# configure_certs
+# args:
+# 1) role - string; can be "devproxy" or "rp"
+# certs_configure_rp
+configure_certs_rp() {
+    log "starting"
+
+    verify_role role_rp
+
+    local -r rp_certs_basedir="/etc/aro-rp"
+    mkdir -p "$rp_certs_basedir"
+    base64 -d <<<"$ADMINAPICABUNDLE" > "$rp_certs_basedir/admin-ca-bundle.pem"
+    if [[ -n "$ARMAPICABUNDLE" ]]; then
+    base64 -d <<<"$ARMAPICABUNDLE" > "$rp_certs_basedir/arm-ca-bundle.pem"
+    fi
+    chown -R 1000:1000 "$rp_certs_basedir"
+
+    configure_certs_general
+}
+
+# configure_certs_gateway
+configure_certs_gateway() {
+    log "starting"
+
+    verify_role role_gateway
+    configure_certs_general
+}
+
+configure_certs_devproxy() {
+    log "starting"
+
+    verify_role role_devproxy true
+
+    local -r proxy_certs_basedir="/etc/proxy"
+    mkdir -p "$proxy_certs_basedir"
+    base64 -d <<<"$PROXYCERT" > "$proxy_certs_basedir/proxy.crt"
+    base64 -d <<<"$PROXYKEY" > "$proxy_certs_basedir/proxy.key"
+    base64 -d <<<"$PROXYCLIENTCERT" > "$proxy_certs_basedir/proxy-client.crt"
+    chown -R 1000:1000 /etc/proxy
+    chmod 0600 "$proxy_certs_basedir/proxy.key"
+}
+
+configure_azsecd_scan() {
+    log "starting"
 
     # we leave clientId blank as long as only 1 managed identity assigned to vmss
     # if we have more than 1, we will need to populate with clientId used for off-node scanning
@@ -266,6 +284,8 @@ configure_certs() {
 run_azsecd_config_scan() {
     log "starting"
 
+    configure_azsecd_scan
+
     local -ar configs=(
         "baseline"
         "clamav"