From a967dcee530faeadd5f4d21d33c45066224688c1 Mon Sep 17 00:00:00 2001
From: Gerd Oberlechner <goberlec@redhat.com>
Date: Fri, 8 Nov 2024 09:23:45 +0100
Subject: [PATCH] provision shard generation with cx keyvaults

adapts the provision shard configuration to the new format with the dedicated
azure section, referencing the the DNS zone, and MGMT cluster KVs to use (CX secrets + CX MSI).

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
---
 cluster-service/.gitignore                    |  2 +-
 cluster-service/Makefile                      | 20 +++++++++++--------
 cluster-service/config.tmpl.mk                |  5 +++++
 .../deploy/dev-provisioning-shards.tmpl.yml   | 18 -----------------
 .../deploy/provisioning-shards.tmpl.yml       |  9 ++++++---
 5 files changed, 24 insertions(+), 30 deletions(-)
 delete mode 100644 cluster-service/deploy/dev-provisioning-shards.tmpl.yml

diff --git a/cluster-service/.gitignore b/cluster-service/.gitignore
index b714207f2e..4492bf9c65 100644
--- a/cluster-service/.gitignore
+++ b/cluster-service/.gitignore
@@ -1,5 +1,5 @@
 deploy/tmp-provisioning-shard.yml
 deploy/provisioning-shards.yml
-deploy/dev-provisioning-shards.yml
+deploy/local-provisioning-shards.yml
 deploy/azure-runtime-config.yaml
 config.mk
diff --git a/cluster-service/Makefile b/cluster-service/Makefile
index ac2f3c6b54..e24845c796 100644
--- a/cluster-service/Makefile
+++ b/cluster-service/Makefile
@@ -41,7 +41,7 @@ deploy-local-db-secret: configure-tmp-provision-shard
 		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" | oc apply -f -
 	oc process --local -f deploy/openshift-templates/arohcp-db-template.yml | oc apply -f -
 
-deploy-azure-db-secret: configure-tmp-provision-shard
+deploy-azure-db-secret: provision-shard
 	oc process --local -f deploy/openshift-templates/arohcp-secrets-template.yml \
 		-p DATABASE_USER=clusters-service \
 		-p DATABASE_NAME=clusters-service \
@@ -49,21 +49,25 @@ deploy-azure-db-secret: configure-tmp-provision-shard
 		-p DATABASE_HOST=$(shell az postgres flexible-server show --resource-group ${RESOURCEGROUP} -n ${DATABASE_SERVER_NAME} --query fullyQualifiedDomainName -o tsv) \
 		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" | oc apply -f -
 
-configure-tmp-provision-shard:
-	ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
-	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID}
-
 deploy-pr-env-deps:
 	AZURE_CS_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n clusters-service --query clientId -o tsv) && \
 	oc process --local -f deploy/integration/cluster-service-namespace.yaml \
 		-p CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} | oc apply -f -
 
-# for local development
 provision-shard:
-	ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
-	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID}
+	@ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
+	CX_SECRETS_KV_URL=$(shell az keyvault show -n ${CX_SECRETS_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	CX_MI_KV_URL=$(shell az keyvault show -n ${CX_MI_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID},cxSecretsKeyVaultUrl=$${CX_SECRETS_KV_URL},cxMiKeyVaultUrl=$${CX_MI_KV_URL},maestroRestUrl=http://maestro.maestro.svc.cluster.local:8000,maestroGrpUrl=maestro-grpc.maestro.svc.cluster.local:8090
 	@cat deploy/provisioning-shards.yml
 
+local-deploy-provision-shard:
+	@ZONE_RESOURCE_ID=$(shell az network dns zone show -n ${ZONE_NAME} -g ${REGIONAL_RESOURCEGROUP} --query id -o tsv) && \
+	CX_SECRETS_KV_URL=$(shell az keyvault show -n ${CX_SECRETS_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	CX_MI_KV_URL=$(shell az keyvault show -n ${CX_MI_KV_NAME} -g ${MGMT_RESOURCEGROUP} --query properties.vaultUri -o tsv) && \
+	../templatize.sh $(DEPLOY_ENV) deploy/provisioning-shards.tmpl.yml deploy/local-provisioning-shards.yml -e zoneResourceId=$${ZONE_RESOURCE_ID},cxSecretsKeyVaultUrl=$${CX_SECRETS_KV_URL},cxMiKeyVaultUrl=$${CX_MI_KV_URL},maestroRestUrl=http://localhost:8080,maestroGrpUrl=localhost:8090
+	@cat deploy/local-provisioning-shards.yml
+
 personal-runtime-config:
 	@TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	OIDC_BLOB_SERVICE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.blob -o tsv) && \
diff --git a/cluster-service/config.tmpl.mk b/cluster-service/config.tmpl.mk
index d1e8887167..8628c44aa0 100644
--- a/cluster-service/config.tmpl.mk
+++ b/cluster-service/config.tmpl.mk
@@ -19,3 +19,8 @@ DATABASE_SERVER_NAME ?= {{ .clusterServicePostgresName }}
 DB_SECRET_TARGET = {{ ternary "deploy-azure-db-secret" "deploy-local-db-secret" .clusterServicePostgresDeploy }}
 
 DEVOPS_MSI_ID ?= {{ .aroDevopsMsiId }}
+
+# MGMT CLUSTER KVs
+MGMT_RESOURCEGROUP ?= {{ .managementClusterRG }}
+CX_SECRETS_KV_NAME ?= {{ .cxKeyVaultName }}
+CX_MI_KV_NAME ?= {{ .msiKeyVaultName }}
diff --git a/cluster-service/deploy/dev-provisioning-shards.tmpl.yml b/cluster-service/deploy/dev-provisioning-shards.tmpl.yml
deleted file mode 100644
index 0f99e08eb6..0000000000
--- a/cluster-service/deploy/dev-provisioning-shards.tmpl.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-provision_shards:
-- id: 1
-  maestro_config: |
-    {
-      "rest_api_config": {
-        "url": "http://localhost:8001"
-      },
-      "grpc_api_config": {
-        "url": "localhost:8090"
-      },
-      "consumer_name": "{{ .maestroConsumerName }}"
-    }
-  status: active
-  azure_base_domain: {{ .extraVars.zoneResourceId }}
-  management_cluster_id: {{ .regionRG }}
-  region: {{ .regionRG }}
-  cloud_provider: azure
-  topology: dedicated
diff --git a/cluster-service/deploy/provisioning-shards.tmpl.yml b/cluster-service/deploy/provisioning-shards.tmpl.yml
index 95fd14e27f..60817aa889 100644
--- a/cluster-service/deploy/provisioning-shards.tmpl.yml
+++ b/cluster-service/deploy/provisioning-shards.tmpl.yml
@@ -3,16 +3,19 @@ provision_shards:
   maestro_config: |
     {
       "rest_api_config": {
-        "url": "http://maestro.maestro.svc.cluster.local:8000"
+        "url": "{{ .extraVars.maestroRestUrl }}"
       },
       "grpc_api_config": {
-        "url": "maestro-grpc.maestro.svc.cluster.local:8090"
+        "url": "{{ .extraVars.maestroGrpUrl }}"
       },
       "consumer_name": "{{ .maestroConsumerName }}"
     }
   status: active
-  azure_base_domain: "{{ .extraVars.zoneResourceId }}"
   management_cluster_id: local-cluster
   region: {{ .region }}
   cloud_provider: azure
   topology: dedicated
+  azure_shard:
+    public_dns_zone_resource_id: "{{ .extraVars.zoneResourceId }}"
+    cx_secrets_key_vault_url: "{{ .extraVars.cxSecretsKeyVaultUrl }}"
+    cx_managed_identities_key_vault_url: "{{ .extraVars.cxMiKeyVaultUrl }}"