diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 5e063b3a8..ce5bc00f4 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -22,6 +22,18 @@ defaults: repository: aks/msi-acrpull digest: sha256:51dd1a7c217b554d7925e67008caf747c8bec17b641830160e08b6836a8aa589 #v0.1.12 + # Logs + logs: + mdsd: + namespace: logs + msiName: logs-mdsd + serviceAccountName: genevabit-aggregator + cert: + name: logs-mdsd + type: x-pem-file # GCS certificate file in PEM format + issuer: OneCertV2-PrivateCA + loganalytics: + enable: false # Hypershift hypershift: @@ -49,6 +61,8 @@ defaults: versions: "asm-1-23" ingressGatewayIPAddressName: "aro-hcp-istio-ingress" ingressGatewayIPAddressIPTags: "FirstPartyUsage:arohcpprodinboundsvc" + logs: + namespace: HCPServiceLogs # MGMT cluster specifics mgmt: @@ -64,6 +78,8 @@ defaults: kvName: arohcp-etcd-{{ .ctx.regionShort }}-{{ .ctx.stamp }} kvSoftDelete: true clusterOutboundIPAddressIPTags: "FirstPartyUsage:arohcpprodoutboundcx" + logs: + namespace: HCPManagementLogs # Frontend frontend: @@ -201,13 +217,6 @@ defaults: grafanaZoneRedundantMode: Enabled workspaceName: 'arohcp-{{ .ctx.regionShort }}' - # Logs - logs: - enableLogAnalytics: false - namespace: logs - msiName: logs-mdsd - serviceAccountName: genevabit-aggregator - clouds: public: # this configuration serves as a template for for all RH DEV subscription deployments @@ -273,6 +282,10 @@ clouds: clusterOutboundIPAddressIPTags: "FirstPartyUsage:/NonProd" istio: ingressGatewayIPAddressIPTags: "FirstPartyUsage:/NonProd" + logs: + san: SVC.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM + configVersion: "1.0" + # MC mgmt: aks: @@ -289,6 +302,9 @@ clouds: osDiskSizeGB: 128 azCount: 3 clusterOutboundIPAddressIPTags: "FirstPartyUsage:/NonProd" + logs: + san: MGMT.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM + configVersion: "1.0" # DNS dns: @@ -343,3 +359,9 @@ clouds: aroDevopsMsiId: '/subscriptions/5299e6b7-b23b-46c8-8277-dc1147807117/resourcegroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-ev2-identity' # Cert Officer used for KV signer registration kvCertOfficerPrincipalId: '32af88de-a61c-4f71-b709-50538598c4f2' # aro-ev2-admin-int-sp + + # Logs + logs: + mdsd: + subscriptions: + - 5299e6b7-b23b-46c8-8277-dc1147807117 diff --git a/config/config.schema.json b/config/config.schema.json index 339a92fde..bd75add5e 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -42,6 +42,29 @@ "vmSize" ] }, + "aksLogConfig": { + "type": "object", + "properties": { + "namespace": { + "description": "Geneva logs account namespace", + "type": "string" + }, + "san": { + "description": "Geneva logs account certificate SAN", + "type": "string" + }, + "configVersion": { + "description": "Geneva logs account namespace configuration version", + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "namespace", + "san", + "configVersion" + ] + }, "aksConfig": { "type": "object", "properties": { @@ -764,6 +787,10 @@ }, "subscription": { "type": "string" + }, + "logs": { + "description": "MDSD / Genevabits log aggregation and shipping configuration", + "$ref": "#/definitions/aksLogConfig" } }, "additionalProperties": false, @@ -819,26 +846,76 @@ }, "logs": { "type": "object", + "additionalProperties": false, + "description": "Log infrastructure configuration", "properties": { - "enableLogAnalytics": { - "type": "boolean" - }, - "namespace": { - "type": "string" - }, - "msiName": { - "type": "string" + "loganalytics": { + "type": "object", + "description": "Log Analytics configuration", + "properties": { + "enable": { + "type": "boolean" + } + + }, + "additionalProperties": false, + "required": [ + "enable" + ] }, - "serviceAccountName": { - "type": "string" + "mdsd": { + "type": "object", + "properties": { + "namespace": { + "type": "string" + }, + "msiName": { + "type": "string" + }, + "serviceAccountName": { + "type": "string" + }, + "cert": { + "type": "object", + "properties": { + "name": { + "description": "Logs certificate name", + "type": "string" + }, + "type": { + "description": "Logs certificate type", + "type": "string" + }, + "issuer": { + "description": "Logs certificate issuer", + "type": "string" + } + }, + "additionalProperties": false, + "required": [ + "name", + "type", + "issuer" + ] + }, + "subscriptions": { + "description": "Geneva logs resources subscriptions", + "type": "array" + } + }, + "additionalProperties": false, + "required": [ + "namespace", + "msiName", + "serviceAccountName", + "cert", + "subscriptions" + ] } }, - "additionalProperties": false, "required": [ - "enableLogAnalytics", - "namespace", - "msiName", - "serviceAccountName" + "mdsd", + "loganalytics" ] }, "msiKeyVault": { @@ -951,6 +1028,10 @@ "required": [ "ingressGatewayIPAddressName" ] + }, + "logs": { + "description": "MDSD / Genevabits log aggregation and shipping configuration", + "$ref": "#/definitions/aksLogConfig" } }, "additionalProperties": false, diff --git a/config/config.yaml b/config/config.yaml index 99f617a2e..03e9b0101 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -22,8 +22,19 @@ defaults: namespace: hypershift additionalInstallArg: '--tech-preview-no-upgrade' + # Log settings logs: - enableLogAnalytics: false + mdsd: + namespace: logs + msiName: logs-mdsd + serviceAccountName: genevabit-aggregator + cert: + name: "" + type: "" + issuer: "" + subscriptions: [] + loganalytics: + enable: false # SVC cluster specifics svc: @@ -315,11 +326,6 @@ clouds: grafanaName: 'arohcp-dev' grafanaZoneRedundantMode: Disabled grafanaAdminGroupPrincipalId: 6b6d3adf-8476-4727-9812-20ffdef2b85c - # Logs - logs: - namespace: logs - msiName: logs-mdsd - serviceAccountName: genevabit-aggregator # DEVOPS MSI aroDevopsMsiId: '/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/global-rollout-identity' kvCertOfficerPrincipalId: 'c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb' @@ -328,7 +334,8 @@ clouds: # this is the integrated DEV environment defaults: logs: - enableLogAnalytics: true + loganalytics: + enable: true mgmt: aks: systemAgentPool: @@ -359,7 +366,8 @@ clouds: # this is the cluster service PR check and full cycle test environment defaults: logs: - enableLogAnalytics: true + loganalytics: + enable: true svc: aks: # MC AKS nodepools diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 71723f3e5..a53353767 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -142,10 +142,20 @@ }, "kvCertOfficerPrincipalId": "c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb", "logs": { - "enableLogAnalytics": true, - "msiName": "logs-mdsd", - "namespace": "logs", - "serviceAccountName": "genevabit-aggregator" + "loganalytics": { + "enable": true + }, + "mdsd": { + "cert": { + "issuer": "", + "name": "", + "type": "" + }, + "msiName": "logs-mdsd", + "namespace": "logs", + "serviceAccountName": "genevabit-aggregator", + "subscriptions": [] + } }, "maestro": { "agent": { diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index 309e62a3f..9ec40c22e 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -142,10 +142,20 @@ }, "kvCertOfficerPrincipalId": "c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb", "logs": { - "enableLogAnalytics": true, - "msiName": "logs-mdsd", - "namespace": "logs", - "serviceAccountName": "genevabit-aggregator" + "loganalytics": { + "enable": true + }, + "mdsd": { + "cert": { + "issuer": "", + "name": "", + "type": "" + }, + "msiName": "logs-mdsd", + "namespace": "logs", + "serviceAccountName": "genevabit-aggregator", + "subscriptions": [] + } }, "maestro": { "agent": { diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 922cc358d..633232a52 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -142,10 +142,22 @@ }, "kvCertOfficerPrincipalId": "32af88de-a61c-4f71-b709-50538598c4f2", "logs": { - "enableLogAnalytics": false, - "msiName": "logs-mdsd", - "namespace": "logs", - "serviceAccountName": "genevabit-aggregator" + "loganalytics": { + "enable": false + }, + "mdsd": { + "cert": { + "issuer": "OneCertV2-PrivateCA", + "name": "logs-mdsd", + "type": "x-pem-file" + }, + "msiName": "logs-mdsd", + "namespace": "logs", + "serviceAccountName": "genevabit-aggregator", + "subscriptions": [ + "5299e6b7-b23b-46c8-8277-dc1147807117" + ] + } }, "maestro": { "agent": { @@ -221,6 +233,11 @@ }, "vnetAddressPrefix": "10.128.0.0/14" }, + "logs": { + "configVersion": "1.0", + "namespace": "HCPManagementLogs", + "san": "MGMT.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM" + }, "rg": "hcp-underlay-westus3-mgmt-1", "subscription": "hcp-westus3" }, @@ -290,6 +307,11 @@ "targetVersion": "asm-1-23", "versions": "asm-1-23" }, + "logs": { + "configVersion": "1.0", + "namespace": "HCPServiceLogs", + "san": "SVC.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM" + }, "rg": "hcp-underlay-westus3-svc", "subscription": "hcp-westus3" }, diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index 2388a73f4..6fc0d3dc9 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -142,10 +142,20 @@ }, "kvCertOfficerPrincipalId": "c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb", "logs": { - "enableLogAnalytics": false, - "msiName": "logs-mdsd", - "namespace": "logs", - "serviceAccountName": "genevabit-aggregator" + "loganalytics": { + "enable": false + }, + "mdsd": { + "cert": { + "issuer": "", + "name": "", + "type": "" + }, + "msiName": "logs-mdsd", + "namespace": "logs", + "serviceAccountName": "genevabit-aggregator", + "subscriptions": [] + } }, "maestro": { "agent": { diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam index adeac221b..1a0f37ed7 100644 --- a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam @@ -46,11 +46,11 @@ param aroDevopsMsiId = '{{ .aroDevopsMsiId }}' // Azure Monitor Workspace param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__' -// logs +// MDSD / Genevabits @description('The namespace of the logs') -param logsNamespace = '{{ .logs.namespace }}' -param logsMSI = '{{ .logs.msiName }}' -param logsServiceAccount = '{{ .logs.serviceAccountName }}' +param logsNamespace = '{{ .logs.mdsd.namespace }}' +param logsMSI = '{{ .logs.mdsd.msiName }}' +param logsServiceAccount = '{{ .logs.mdsd.serviceAccountName }}' // Log Analytics Workspace ID will be passed from region pipeline if enabled in config param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__' diff --git a/dev-infrastructure/configurations/output-region.tmpl.bicepparam b/dev-infrastructure/configurations/output-region.tmpl.bicepparam index 2515a1bb2..bae7114ff 100644 --- a/dev-infrastructure/configurations/output-region.tmpl.bicepparam +++ b/dev-infrastructure/configurations/output-region.tmpl.bicepparam @@ -2,4 +2,4 @@ using '../templates/output-region.bicep' param azureMonitorWorkspaceName = '{{ .monitoring.workspaceName }}' param maestroEventGridNamespacesName = '{{ .maestro.eventGrid.name }}' -param enableLogAnalytics = {{ .logs.enableLogAnalytics }} +param enableLogAnalytics = {{ .logs.loganalytics.enable }} diff --git a/dev-infrastructure/configurations/region.tmpl.bicepparam b/dev-infrastructure/configurations/region.tmpl.bicepparam index 38abca5d7..44efd2bbe 100644 --- a/dev-infrastructure/configurations/region.tmpl.bicepparam +++ b/dev-infrastructure/configurations/region.tmpl.bicepparam @@ -23,4 +23,4 @@ param maestroCertificateIssuer = '{{ .maestro.certIssuer }}' param aroDevopsMsiId = '{{ .aroDevopsMsiId }}' // Log Analytics -param enableLogAnalytics = {{ .logs.enableLogAnalytics }} +param enableLogAnalytics = {{ .logs.loganalytics.enable }} diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index 8b67a8bd0..ac2fc8101 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -76,11 +76,11 @@ param frontendIngressCertIssuer = '{{ .frontend.cert.issuer }}' // Azure Monitor Workspace param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__' -// logs +// MDSD / Genevabits @description('The namespace of the logs') -param logsNamespace = '{{ .logs.namespace }}' -param logsMSI = '{{ .logs.msiName }}' -param logsServiceAccount = '{{ .logs.serviceAccountName }}' +param logsNamespace = '{{ .logs.mdsd.namespace }}' +param logsMSI = '{{ .logs.mdsd.msiName }}' +param logsServiceAccount = '{{ .logs.mdsd.serviceAccountName }}' // Log Analytics Workspace ID will be passed from region pipeline if enabled in config param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__' diff --git a/tooling/templatize/pkg/pipeline/pipeline.schema.v1.json b/tooling/templatize/pkg/pipeline/pipeline.schema.v1.json index 875d26fb3..c8cffaa05 100644 --- a/tooling/templatize/pkg/pipeline/pipeline.schema.v1.json +++ b/tooling/templatize/pkg/pipeline/pipeline.schema.v1.json @@ -148,7 +148,7 @@ }, "action": { "type": "string", - "enum": ["ARM", "Shell", "DelegateChildZone", "SetCertificateIssuer", "CreateCertificate", "ResourceProviderRegistration", "LogsAccount"] + "enum": ["ARM", "Shell", "DelegateChildZone", "SetCertificateIssuer", "CreateCertificate", "ResourceProviderRegistration", "RPLogsAccount", "ClusterLogsAccount"] }, "template": { "type": "string" @@ -214,6 +214,21 @@ "certdescription": { "$ref": "#/definitions/variableRef" }, + "configVersion": { + "$ref": "#/definitions/variableRef" + }, + "events": { + "type": "object", + "additionalProperties": false, + "properties": { + "akskubesystem": { + "type": "string" + } + }, + "required": [ + "akskubesystem" + ] + }, "outputOnly": { "type": "boolean" } @@ -434,7 +449,7 @@ }, "action": { "type": "string", - "enum": ["LogsAccount"] + "enum": ["RPLogsAccount", "ClusterLogsAccount"] }, "subscriptionId": { "$ref": "#/definitions/variableRef" @@ -448,6 +463,21 @@ "certdescription": { "$ref": "#/definitions/variableRef" }, + "configVersion": { + "$ref": "#/definitions/variableRef" + }, + "events": { + "type": "object", + "additionalProperties": false, + "properties": { + "akskubesystem": { + "type": "string" + } + }, + "required": [ + "akskubesystem" + ] + }, "dependsOn": { "type": "array", "items": { @@ -459,7 +489,9 @@ "subscriptionId", "namespace", "certsan", - "certdescription" + "certdescription", + "configVersion", + "events" ] } ], diff --git a/tooling/templatize/testdata/pipeline.yaml b/tooling/templatize/testdata/pipeline.yaml index 3a7a492a1..6ab77e84f 100644 --- a/tooling/templatize/testdata/pipeline.yaml +++ b/tooling/templatize/testdata/pipeline.yaml @@ -69,14 +69,31 @@ resourceGroups: - Microsoft.Storage - Microsoft.EventHub - Microsoft.Insights + - name: rpAccount + action: RPLogsAccount + subscriptionId: + value: sub + namespace: + value: ns + certsan: + value: san + certdescription: + value: HCP Service Cluster + configVersion: + value: version + events: + akskubesystem: kubesystem - name: clusterAccount - action: LogsAccount + action: ClusterLogsAccount subscriptionId: - value: - - abc + value: sub namespace: - value: HCPManagementLogs + value: ns certsan: - value: MGMT.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM + value: san certdescription: value: HCP Management Cluster + configVersion: + value: version + events: + akskubesystem: kubesystem diff --git a/tooling/templatize/testdata/zz_fixture_TestProcessPipelineForEV2pipeline.yaml b/tooling/templatize/testdata/zz_fixture_TestProcessPipelineForEV2pipeline.yaml index 78715352b..b0a7e51c9 100644 --- a/tooling/templatize/testdata/zz_fixture_TestProcessPipelineForEV2pipeline.yaml +++ b/tooling/templatize/testdata/zz_fixture_TestProcessPipelineForEV2pipeline.yaml @@ -80,18 +80,41 @@ resourceGroups: - Microsoft.Storage - Microsoft.EventHub - Microsoft.Insights + - name: rpAccount + action: RPLogsAccount + certdescription: + name: certdescription + value: HCP Service Cluster + certsan: + name: certsan + value: san + configVersion: + name: configVersion + value: version + events: + akskubesystem: kubesystem + namespace: + name: namespace + value: ns + subscriptionId: + name: subscriptionId + value: sub - name: clusterAccount - action: LogsAccount + action: ClusterLogsAccount certdescription: name: certdescription value: HCP Management Cluster certsan: name: certsan - value: MGMT.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM + value: san + configVersion: + name: configVersion + value: version + events: + akskubesystem: kubesystem namespace: name: namespace - value: HCPManagementLogs + value: ns subscriptionId: name: subscriptionId - value: - - abc + value: sub diff --git a/tooling/templatize/testdata/zz_fixture_TestRawOptions.yaml b/tooling/templatize/testdata/zz_fixture_TestRawOptions.yaml index 60dbfd93f..1322f0cdf 100644 --- a/tooling/templatize/testdata/zz_fixture_TestRawOptions.yaml +++ b/tooling/templatize/testdata/zz_fixture_TestRawOptions.yaml @@ -69,14 +69,31 @@ resourceGroups: - Microsoft.Storage - Microsoft.EventHub - Microsoft.Insights + - name: rpAccount + action: RPLogsAccount + subscriptionId: + value: sub + namespace: + value: ns + certsan: + value: san + certdescription: + value: HCP Service Cluster + configVersion: + value: version + events: + akskubesystem: kubesystem - name: clusterAccount - action: LogsAccount + action: ClusterLogsAccount subscriptionId: - value: - - abc + value: sub namespace: - value: HCPManagementLogs + value: ns certsan: - value: MGMT.GENEVA.KEYVAULT.ARO-HCP-INT.AZURE.COM + value: san certdescription: value: HCP Management Cluster + configVersion: + value: version + events: + akskubesystem: kubesystem