provision shard generation with cx keyvaults

adapts the provision shard configuration to the new format with the dedicated azure section, referencing the the DNS zone, and MGMT cluster KVs to use (CX secrets + CX MSI). Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
Azure · Nov 8, 2024 · a967dce · a967dce
1 parent 717bef5
commit a967dce
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 30 deletions.
diff --git a/cluster-service/.gitignore b/cluster-service/.gitignore
@@ -1,5 +1,5 @@
 deploy/tmp-provisioning-shard.yml
 deploy/provisioning-shards.yml
-deploy/dev-provisioning-shards.yml
+deploy/local-provisioning-shards.yml
 deploy/azure-runtime-config.yaml
 config.mk
diff --git a/cluster-service/Makefile b/cluster-service/Makefile
@@ -41,29 +41,33 @@ deploy-local-db-secret: configure-tmp-provision-shard
 		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" | oc apply -f -
 	oc process --local -f deploy/openshift-templates/arohcp-db-template.yml | oc apply -f -
 
-deploy-azure-db-secret: configure-tmp-provision-shard
+deploy-azure-db-secret: provision-shard
 	oc process --local -f deploy/openshift-templates/arohcp-secrets-template.yml \
 		-p DATABASE_USER=clusters-service \
 		-p DATABASE_NAME=clusters-service \
 		-p DATABASE_PASSWORD="" \
 		-p DATABASE_HOST=$(shell az postgres flexible-server show --resource-group ${RESOURCEGROUP} -n ${DATABASE_SERVER_NAME} --query fullyQualifiedDomainName -o tsv) \
 		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" | oc apply -f -
 
-configure-tmp-provision-shard:
-	ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
-	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID}
-
 deploy-pr-env-deps:
 	AZURE_CS_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n clusters-service --query clientId -o tsv) && \
 	oc process --local -f deploy/integration/cluster-service-namespace.yaml \
 		-p CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} | oc apply -f -
 
-# for local development
 provision-shard:
-	ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
-	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID}
+	@ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
+	CX_SECRETS_KV_URL=$(shell az keyvault show -n ${CX_SECRETS_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	CX_MI_KV_URL=$(shell az keyvault show -n ${CX_MI_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID},cxSecretsKeyVaultUrl=$${CX_SECRETS_KV_URL},cxMiKeyVaultUrl=$${CX_MI_KV_URL},maestroRestUrl=http://maestro.maestro.svc.cluster.local:8000,maestroGrpUrl=maestro-grpc.maestro.svc.cluster.local:8090
 	@cat deploy/provisioning-shards.yml
 
+local-deploy-provision-shard:
+	@ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
+	CX_SECRETS_KV_URL=$(shell az keyvault show -n ${CX_SECRETS_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	CX_MI_KV_URL=$(shell az keyvault show -n ${CX_MI_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/local-provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID},cxSecretsKeyVaultUrl=$${CX_SECRETS_KV_URL},cxMiKeyVaultUrl=$${CX_MI_KV_URL},maestroRestUrl=http://localhost:8080,maestroGrpUrl=localhost:8090
+	@cat deploy/local-provisioning-shards.yml
+
 personal-runtime-config:
 	@TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	OIDC_BLOB_SERVICE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.blob -o tsv) && \

diff --git a/cluster-service/config.tmpl.mk b/cluster-service/config.tmpl.mk
@@ -19,3 +19,8 @@ DATABASE_SERVER_NAME ?= {{ .clusterServicePostgresName }}
 DB_SECRET_TARGET = {{ ternary "deploy-azure-db-secret" "deploy-local-db-secret" .clusterServicePostgresDeploy }}
 
 DEVOPS_MSI_ID ?= {{ .aroDevopsMsiId }}
+
+# MGMT CLUSTER KVs
+MGMT_RESOURCEGROUP ?= {{ .managementClusterRG }}
+CX_SECRETS_KV_NAME ?= {{ .cxKeyVaultName }}
+CX_MI_KV_NAME ?= {{ .msiKeyVaultName }}
diff --git a/cluster-service/deploy/dev-provisioning-shards.tmpl.yml b/cluster-service/deploy/dev-provisioning-shards.tmpl.yml
diff --git a/cluster-service/deploy/provisioning-shards.tmpl.yml b/cluster-service/deploy/provisioning-shards.tmpl.yml
@@ -3,16 +3,19 @@ provision_shards:
   maestro_config: |
     {
       "rest_api_config": {
-        "url": "http://maestro.maestro.svc.cluster.local:8000"
+        "url": "{{ .extraVars.maestroRestUrl }}"
       },
       "grpc_api_config": {
-        "url": "maestro-grpc.maestro.svc.cluster.local:8090"
+        "url": "{{ .extraVars.maestroGrpUrl }}"
       },
       "consumer_name": "{{ .maestroConsumerName }}"
     }
   status: active
-  azure_base_domain: "{{ .extraVars.zoneResourceId }}"
   management_cluster_id: local-cluster
   region: {{ .region }}
   cloud_provider: azure
   topology: dedicated
+  azure_shard:
+    public_dns_zone_resource_id: "{{ .extraVars.zoneResourceId }}"
+    cx_secrets_key_vault_url: "{{ .extraVars.cxSecretsKeyVaultUrl }}"
+    cx_managed_identities_key_vault_url: "{{ .extraVars.cxMiKeyVaultUrl }}"