Removed DBToken. Made the components uses Managed Identity

[anshulvermapatel]

Which issue this PR addresses:

As part of the ARO-5512 , we needed to disable local auth for cosmosdb. In order to disable local authentication, this PR is to make our components rely on managed identities/entra id rather than keys for authentication/authorizing cosmosdb.

This is currently a draft PR as I will be testing it in the INT env first before going forward, however, reviews are appreciated.

I have manually changed some generated code here. That was because the PR I created to have the generated code changed is not merged yet. Once that is merged, I will generate the code from the go-cosmosdb repo itself just like how we usually do.

Fixes
ARO-7195
ARO-7314

[github-actions]

Please rebase pull request.

[bennerv]

Also need to remove:

• rm docs/dbtoken-service.md
• The load balancing rule to allow gateway to talk to the dbtoken service from pkg/deploy (should be in templates)

We probably don't need to peer the gateway and RP vnets anymore. We might be able to remove that peering as well. Which would be good for overall security posture.

[bennerv]

the error logic handling is changing here. Should it be? Should we only ignore errors of http.StatusConflict from cosmosdb?

[anshulvermapatel]

So this method is to create/update so if there is already something there, it will just make an update which would be nothing if the triggers are same. I ran this multiple times on the same cosmosdb database and it didn't return http.StatusConflict even when the triggers were already there.

[bennerv]

Do we have an over-arching context assocaited with this function already? is the old method triggerc.Create(ctx, trigger) blocking vs now we have to poll?

[anshulvermapatel]

Previously, we used to get access to create/modify triggers using the keys, however now since we are using managed identities at cosmosdb scope, we cannot do any management operations on triggers(as it being management resource) because for that, the request must go through ARM and not directly to database.
https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#permission-model

[bennerv]

This scope is incorrect for government cloud (and any non-Azure Public Cloud)

We should read the url from the env struct we use everywhere to be cloud aware.

https://learn.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure

[anshulvermapatel]

Gotcha! .. sorry for that, I'll correct it.

[bennerv]

I think there's a problem inherently with this function.

The token we request from AAD with the scope is a short-lived credential (~12 hrs max I believe). That means that at some point, the token will expire both from AAD MSI perspective and cosmosdb perspective. As a result, we may need some refreshing of the actual database client in all places where it's used.

Previously, we used the primary database keys which never expire but are rotatable. That's why we didn't need to implement any database client reconstruction due to token expiration. Now we more than likely do.

The best way to test this would be to run an RP for a long time (or get the expiration of the token from this function) and see what happens when you get past the expiration time.

[anshulvermapatel]

The azcore.TokenCredential, it is indeed an object for tokens but it does not statically contains the token. It has a getToken() method which gives a refreshed token every time we call the method.
There is a token refresh logic in place in this go-cosmosdb code in this PR which cache the token. Every time we make a request, it is check is the current token is expired or 5 mins left to expire, if so it calls getToken() to get an updated token else use the cached ones.

[jaitaiwan]

Is it possible on quieter regions that we might not have a request for over 12 hours? Would that have any effect?

[anshulvermapatel]

No, because everything a request goes to cosmosdb, there's a method Authorize() which gets called, and this method has the logic to acquire the token if the token is expired. The same logic which we were discussing lately.

[anshulvermapatel]

/azp run ci,e2e

[azure-pipelines]

Pull request contains merge conflicts.

[github-actions]

Please rebase pull request.

[jaitaiwan]

A few small comments. Nothing critical. Seems like this PR really needs folks to manually test - is there instructions for how one might do this?

[jaitaiwan]

Are there any changes in this file that aren't formatting? A quick review seemed like there wasn't any meaningful changes to this file which make me think it should be removed from the PR.

[anshulvermapatel]

Ahh, I think prettier plugin changed this file. I will remove this changes.
I did remove this portion though:

az keyvault certificate import
--vault-name "$KEYVAULT_PREFIX-dbt"
--name dbtoken-server
--file secrets/localhost.pem >/dev/null

[jaitaiwan]

Is it possible on quieter regions that we might not have a request for over 12 hours? Would that have any effect?

[jaitaiwan]

We should just remove this entirely I think

[anshulvermapatel]

remove what? line 52 // loadbalancers network.LoadBalancersClient ?
I was not sure about if this is affecting something or not, so I just commented it out for now. I will remove that as well once I have more peer reviews on this.

[jaitaiwan]

We should just remove this entirely I think

[anshulvermapatel]

same thing

[anshulvermapatel]

/azp run ci,e2e

[azure-pipelines]

Azure Pipelines successfully started running 2 pipeline(s).

[niontive]

Regarding impact for billing service:

1. Billing uses master key authorization and doesn't go through DB token service. Consequently, we can remove db token service and not affect billing.

2. Billing is using an older ARO-RP module release, so we can update the latest one and not affect billing.

3. For rollout, don't disable local auth for CosmosDB. We'll migrate billing service to not use master key authorization, rollout billing, then we should be good to disable local auth for Cosmos DB.