From f773cbe881c516d817493892462ede91bc28db00 Mon Sep 17 00:00:00 2001
From: Gerd Oberlechner <goberlec@redhat.com>
Date: Tue, 18 Feb 2025 11:28:49 +0100
Subject: [PATCH] maestro fixes

Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
---
 maestro/agent/pipeline.yaml                               | 2 ++
 maestro/server/Makefile                                   | 5 ++---
 maestro/server/helm/templates/maestro.serviceaccount.yaml | 1 +
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/maestro/agent/pipeline.yaml b/maestro/agent/pipeline.yaml
index 56bbdc59e..4b7521c5b 100644
--- a/maestro/agent/pipeline.yaml
+++ b/maestro/agent/pipeline.yaml
@@ -32,6 +32,8 @@ resourceGroups:
       configRef: maestro.agentSideCar.imageBase
     - name: SIDECAR_IMAGE_TAG
       configRef: maestro.agentSideCar.imageTag
+    - name: ACR_NAME
+      configRef: svcAcrName
 - name: {{ .svc.rg }}
   subscription: {{ .svc.subscription }}
   aksCluster: {{ .svc.aks.name }}
diff --git a/maestro/server/Makefile b/maestro/server/Makefile
index 0c7df5789..433d7b8ee 100644
--- a/maestro/server/Makefile
+++ b/maestro/server/Makefile
@@ -10,8 +10,7 @@ deploy:
 	MAESTRO_MI_CLIENT_ID=$(shell az identity show -g "${SVC_RG}" -n ${MANAGED_IDENTITY_NAME} --query clientId -o tsv) && \
 	DATABASE_HOST=$$(if [ "${USE_AZURE_DB}" = "true" ]; then az postgres flexible-server show -g ${SVC_RG} -n ${DATABASE_SERVER_NAME} --query fullyQualifiedDomainName -o tsv; else echo "maestro-db"; fi) && \
 	OVERRIDES=$$(if [ "${USE_AZURE_DB}" = "true" ]; then echo "azuredb.values.yaml"; else echo "containerdb.values.yaml"; fi) && \
-	IMAGE_PULLER_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n image-puller --query clientId -o tsv) && \
-	IMAGE_PULLER_MI_TENANT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n image-puller --query tenantId -o tsv) && \
+	IMAGE_PULLER_MI_CLIENT_ID=$(shell az identity show -g ${SVC_RG} -n image-puller --query clientId -o tsv) && \
 	${HELM_CMD} maestro-server ./helm \
 		--namespace ${NAMESPACE} \
 		-f helm/$${OVERRIDES} \
@@ -31,7 +30,7 @@ deploy:
 		--set clusterService.namespace=${CS_NAMESPACE} \
 		--set clusterService.serviceAccount=${CS_SERVICE_ACCOUNT_NAME} \
 		--set pullBinding.workloadIdentityClientId="$${IMAGE_PULLER_MI_CLIENT_ID}" \
-		--set pullBinding.workloadIdentityTenantId="$${IMAGE_PULLER_MI_TENANT_ID}" \
+		--set pullBinding.workloadIdentityTenantId="$${TENANT_ID}" \
 		--set pullBinding.registry=${ACR_NAME}.azurecr.io \
 		--set pullBinding.scope=repository:${IMAGE_BASE}:pull
 .PHONY: deploy
diff --git a/maestro/server/helm/templates/maestro.serviceaccount.yaml b/maestro/server/helm/templates/maestro.serviceaccount.yaml
index 7d3faf00f..3d4b0a30b 100644
--- a/maestro/server/helm/templates/maestro.serviceaccount.yaml
+++ b/maestro/server/helm/templates/maestro.serviceaccount.yaml
@@ -5,3 +5,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
   annotations:
     azure.workload.identity/client-id: {{ .Values.azure.clientId }}
+    azure.workload.identity/tenant-id: {{ .Values.azure.tenantId }}