Skip to content

Get FirstPartyUsage Tagged IP for RP VMSS and GWY VMSS #4373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Get FirstPartyUsage Tagged IP for RP VMSS and GWY VMSS #4373

wants to merge 1 commit into from

Conversation

@preetisht
Copy link
Collaborator

@preetisht preetisht commented Sep 9, 2025
edited
Loading

Which issue this PR addresses:

https://issues.redhat.com/browse/ARO-20272

  • VMSS IP Tags for both RP and Gateway
  • Unified Configuration (vmssIpTags, vmssIpTagsDisabledRegions)
  • ARM Conditional Logic to apply empty ipTag for disabled regions
  • Edge Case Handling (empty arrays, missing config)
  • Configuration picked up from RP-Config

Fixes

What this PR does / why we need it:

https://issues.redhat.com/browse/ARO-16025

This is a part of Microsoft Security Wave 5 fix. All our PublicIP's for both MSIT and AME environment for ARO Classic shoudl have FirstPartyUsage tags .

This PR implements IP tags support for Azure Red Hat OpenShift Virtual Machine Scale Sets (VMSS) to comply with Microsoft Security Wave 5 requirements. The implementation adds unified configuration parameters (vmssIpTags, vmssIpTagsDisabledRegions) that enable region-specific IP tagging for both RP and Gateway VMSS public IPs, with ARM template conditional logic that gracefully handles disabled regions by deploying empty IP tags arrays. The solution has ARM conditionals logic and includes edge case handling for missing or empty configuration scenarios.

Test plan for issue:

  • make test.go passes all the test.
  • Deployed in Canary eastus2euap. Post deployment verify if the new VMSS instances both RP and GWY have proper tagged IP's.
  • Create a cluster in Canary and check if the cluster is sending metrics to geneva.
  • Log into both RP-VMSS and GWY-VMSS instance and check if some of the critical endpoints are accessable .

Is there any documentation that needs to be updated for this PR?

  • A doc will be created on how to deploy in regions where we do not FirstPartyUsage tags has not yet been provided to us by Microsoft .
  • We will create a TSG which will be a part of another PR which will be related to monitoring of our Public IP's which does not have a FirstPartyUsage Tag .

How do you know this will function as expected in production?

  • We will do an extensive tests in Canary region and updated all our test cases and results in JIRA .
  • All the artifacts are uploaded and JIRA commets updated .

@preetisht
Add IP tags configuration for RP VMSS
3e39bf2 
- Add IPTag struct and RpVmssIpTags field to Configuration
- Add rpVmssIpTags parameter to ARM template with array type
- Implement IP tags in VMSS PublicIPAddressConfiguration
- Use conditional ARM logic for backward compatibility
- Support FirstPartyUsage type with service tag values

Update deployment assets

Trigger new VMSS deployment for IP tags testing - eastus disabled region validation

New commit ID
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wanghaoran1988 wanghaoran1988 wanghaoran1988 approved these changes

@bennerv bennerv Awaiting requested review from bennerv bennerv is a code owner

@hawkowl hawkowl Awaiting requested review from hawkowl hawkowl is a code owner

@rogbas rogbas Awaiting requested review from rogbas rogbas is a code owner

@mrWinston mrWinston Awaiting requested review from mrWinston mrWinston is a code owner

@jharrington22 jharrington22 Awaiting requested review from jharrington22 jharrington22 is a code owner

@cadenmarchese cadenmarchese Awaiting requested review from cadenmarchese cadenmarchese is a code owner

@yjst2012 yjst2012 Awaiting requested review from yjst2012 yjst2012 is a code owner

@jaitaiwan jaitaiwan Awaiting requested review from jaitaiwan

@hlipsig hlipsig Awaiting requested review from hlipsig hlipsig is a code owner

@tiguelu tiguelu Awaiting requested review from tiguelu tiguelu is a code owner

@mociarain mociarain Awaiting requested review from mociarain mociarain is a code owner

@kimorris27 kimorris27 Awaiting requested review from kimorris27 kimorris27 is a code owner

@tsatam tsatam Awaiting requested review from tsatam tsatam is a code owner

@fahlmant fahlmant Awaiting requested review from fahlmant fahlmant is a code owner

@sankur-codes sankur-codes Awaiting requested review from sankur-codes sankur-codes is a code owner

@pepedocs pepedocs Awaiting requested review from pepedocs pepedocs is a code owner

Assignees

No one assigned

Labels

ready-for-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@preetisht @wanghaoran1988