Remove dnf cronjob (#3840)

* Remove dnf update cron job Automatic OS Updates are configured. Updating packages via a cron job is no longer required. * Remove certs arg from verify_role, Add/Remove comments Certificate generation has been broken up into a named function for each VMSS role. This means it's no longer necessary to provide the certs=true argumenet when checking VMSS roles. Add a comment for why AZURE_CLOUD_NAME returns an error if unset. Remove az cli login comment from pull_container_images, it is no longer relevant after the last refactor.
Azure · Sep 17, 2024 · aebd2bb · aebd2bb
1 parent 8fdfa78
commit aebd2bb
Show file tree

Hide file tree

Showing 7 changed files with 7 additions and 37 deletions.
diff --git a/pkg/deploy/assets/gateway-production.json b/pkg/deploy/assets/gateway-production.json
diff --git a/pkg/deploy/assets/rp-production.json b/pkg/deploy/assets/rp-production.json
diff --git a/pkg/deploy/generator/scripts/gatewayVMSS.sh b/pkg/deploy/generator/scripts/gatewayVMSS.sh
@@ -51,10 +51,6 @@ main() {
 
     fips_configure
 
-    # TODO remove this once MicrosoftCBLMariner:cbl-mariner:cbl-mariner-2-gen2-fips supports automatic updates
-    # Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#supported-os-images
-    configure_dnf_cron_job
-
     # shellcheck disable=SC2119
     configure_logrotate
 

diff --git a/pkg/deploy/generator/scripts/rpVMSS.sh b/pkg/deploy/generator/scripts/rpVMSS.sh
@@ -50,10 +50,6 @@ main() {
 
     fips_configure
 
-    # TODO remove this once MicrosoftCBLMariner:cbl-mariner:cbl-mariner-2-gen2-fips supports automatic updates
-    # Reference: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade#supported-os-images
-    configure_dnf_cron_job
-
     # shellcheck disable=SC2119
     configure_logrotate
 
@@ -192,6 +188,9 @@ OIDC_STORAGE_ACCOUNT_NAME='$OIDCSTORAGEACCOUNTNAME'
     reboot_vm
 }
 
+# This variable is used by az-cli
+# It's assumed that if this variable hasn't been carried over, that others are also not present, so we fail early by returning an error
+# This was mostly helpful when testing on a development VM, but is still applicable
 export AZURE_CLOUD_NAME="${AZURECLOUDNAME:?"Failed to carry over variables"}"
 
 # util.sh does not exist when deployed to VMSS via VMSS extensions

diff --git a/pkg/deploy/generator/scripts/util-common.sh b/pkg/deploy/generator/scripts/util-common.sh
@@ -81,17 +81,10 @@ retry() {
 # verify_role
 # args:
 # 1) test_role - nameref; role being verified
-# 2) certs - boolean, optional; defaults to false. Set to true to add devproxy to allowed roles
 verify_role() {
     local -n test_role="$1"
-    local -r certs="${2:-false}"
-
-    allowed_roles_glob="($role_rp|$role_gateway)"
-    if $certs; then
-        # remove trailing ")" and append additional role
-        allowed_roles_glob="${allowed_roles_glob%\)*}|$role_devproxy)"
-    fi
 
+    allowed_roles_glob="($role_rp|$role_gateway|$role_devproxy)"
     if [[ "$test_role" =~ $allowed_roles_glob ]]; then
         log "Verified role \"$test_role\""
     else

diff --git a/pkg/deploy/generator/scripts/util-packages.sh b/pkg/deploy/generator/scripts/util-packages.sh
@@ -86,18 +86,6 @@ dnf_update_pkgs() {
     retry cmd "$2" "${3:-}"
 }
 
-# configure_dnf_cron_job
-# create cron job to auto update rpm packages
-configure_dnf_cron_job() {
-    log "starting"
-    local -r cron_weekly_dnf_update_filename='/etc/cron.weekly/dnfupdate'
-    local -r cron_weekly_dnf_update_file="#!/bin/bash
-dnf update -y"
-
-    write_file cron_weekly_dnf_update_filename cron_weekly_dnf_update_file true
-    chmod u+x "$cron_weekly_dnf_update_filename"
-}
-
 # rpm_import_keys
 # args:
 # 1) keys - nameref, string array; rpm keys to be imported

diff --git a/pkg/deploy/generator/scripts/util-system.sh b/pkg/deploy/generator/scripts/util-system.sh
@@ -142,12 +142,6 @@ pull_container_images() {
 
     # shellcheck disable=SC2034
     local -ri retry_time=30
-    # The managed identity that the VM runs as only has a single roleassignment.
-    # This role assignment is ACRPull which is not necessarily present in the
-    # subscription we're deploying into.  If the identity does not have any
-    # role assignments scoped on the subscription we're deploying into, it will
-    # not show on az login -i, which is why the below line is commented.
-    # az account set -s "$SUBSCRIPTIONID"
     cmd=(
         az
         login
@@ -248,7 +242,7 @@ configure_certs_gateway() {
 configure_certs_devproxy() {
     log "starting"
 
-    verify_role role_devproxy true
+    verify_role role_devproxy
 
     local -r proxy_certs_basedir="/etc/proxy"
     mkdir -p "$proxy_certs_basedir"