Configure min tls

Make changing min tls possible
Refactor configuration, create subkey for eventgrid config

config/config.schema.json

@@ -217,11 +217,25 @@
           "consumerName": {
             "type": "string"
           },
-          "eventGridMaxClientSessionsPerAuthName": {
-            "type": "string"
-          },
-          "eventgridName": {
-            "type": "string"
+          "eventGrid": {
+            "type": "object",
+            "properties": {
+              "maxClientSessionsPerAuthName": {
+                "type": "string"
+              },
+              "name": {
+                "type": "string"
+              },
+              "minimumTlsVersionAllowed": {
+                "type": "string"
+              }
+            },
+            "additionalProperties": false,
+            "required": [
+              "maxClientSessionsPerAuthName",
+              "name",
+              "minimumTlsVersionAllowed"
+            ]
           },
           "imageBase": {
             "type": "string"
@@ -272,8 +286,7 @@
         "required": [
           "certDomain",
           "consumerName",
-          "eventGridMaxClientSessionsPerAuthName",
-          "eventgridName",
+          "eventGrid",
           "imageBase",
           "imageTag",
           "keyVaultName",

config/config.yaml

@@ -48,8 +48,10 @@ defaults:
   # Maestro
   maestro:
     keyVaultName: arohcp-maestro-{{ .ctx.regionShort }}
-    eventgridName: arohcp-maestro-{{ .ctx.regionShort }}
-    eventGridMaxClientSessionsPerAuthName: '4'
+    eventGrid:
+      name: arohcp-maestro-{{ .ctx.regionShort }}
+      maxClientSessionsPerAuthName: '4'
+      minimumTlsVersionAllowed: '1.2'
     certDomain: 'selfsigned.maestro.keyvault.azure.com'
     postgres:
       name: arohcp-maestro-{{ .ctx.regionShort }}

config/public-cloud-cs-pr.json

@@ -55,8 +55,11 @@
   "maestro": {
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
     "consumerName": "hcp-underlay-cspr-mgmt-1",
-    "eventGridMaxClientSessionsPerAuthName": "4",
-    "eventgridName": "arohcp-maestro-cspr",
+    "eventGrid": {
+      "maxClientSessionsPerAuthName": "4",
+      "minimumTlsVersionAllowed": "1.2",
+      "name": "arohcp-maestro-cspr"
+    },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
     "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
     "keyVaultName": "arohcp-maestro-cspr",

config/public-cloud-dev.json

@@ -55,8 +55,11 @@
   "maestro": {
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
     "consumerName": "hcp-underlay-dev-mgmt-1",
-    "eventGridMaxClientSessionsPerAuthName": "4",
-    "eventgridName": "arohcp-maestro-dev",
+    "eventGrid": {
+      "maxClientSessionsPerAuthName": "4",
+      "minimumTlsVersionAllowed": "1.2",
+      "name": "arohcp-maestro-dev"
+    },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
     "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
     "keyVaultName": "arohcp-maestro-dev",

config/public-cloud-personal-dev.json

@@ -55,8 +55,11 @@
   "maestro": {
     "certDomain": "selfsigned.maestro.keyvault.azure.com",
     "consumerName": "hcp-underlay-usw3tst-mgmt-1",
-    "eventGridMaxClientSessionsPerAuthName": "4",
-    "eventgridName": "arohcp-maestro-usw3tst",
+    "eventGrid": {
+      "maxClientSessionsPerAuthName": "4",
+      "minimumTlsVersionAllowed": "1.2",
+      "name": "arohcp-maestro-usw3tst"
+    },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
     "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
     "keyVaultName": "arohcp-maestro-usw3tst",

dev-infrastructure/configurations/region.tmpl.bicepparam

@@ -9,3 +9,4 @@ param regionalDNSSubdomain = '{{ .regionalDNSSubdomain }}'
 param maestroKeyVaultName = '{{ .maestro.keyVaultName }}'
 param maestroEventGridNamespacesName = '{{ .maestro.eventgridName }}'
 param maestroEventGridMaxClientSessionsPerAuthName = {{ .maestro.eventGridMaxClientSessionsPerAuthName }}
+param maestroEventGridMinimumTlsVersionAllowed = {{ .maestro.eventGridMinimumTlsVersionAllowed }}

dev-infrastructure/modules/maestro/maestro-infra.bicep

@@ -35,6 +35,9 @@ param maestroKeyVaultName string
 @description('The name for the Managed Identity that will be created for Key Vault Certificate management.')
 param kvCertOfficerManagedIdentityName string
 
+@description('Minimum TLS version allowed for the EventGrid Namespace')
+param minimumTlsVersionAllowed string = '1.2'
+
 @description('Allow public network access to the EventGrid Namespace')
 @allowed([
   'Enabled'
@@ -118,6 +121,7 @@ resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-06-01-preview'
   properties: {
     isZoneRedundant: true
     publicNetworkAccess: publicNetworkAccess
+    minimumTlsVersionAllowed: minimumTlsVersionAllowed
     topicSpacesConfiguration: {
       state: 'Enabled'
       maximumSessionExpiryInHours: 1

dev-infrastructure/templates/region.bicep

@@ -13,6 +13,9 @@ param maestroEventGridNamespacesName string
 @description('The maximum client sessions per authentication name for the EventGrid MQTT broker')
 param maestroEventGridMaxClientSessionsPerAuthName int
 
+@description('Minimum TLS version allowed for the EventGrid Namespace')
+param maestroEventGridMinimumTlsVersionAllowed string = '1.2'
+
 @description('Set to true to prevent resources from being pruned after 48 hours')
 param persist bool = false
 
@@ -67,5 +70,6 @@ module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
     maestroKeyVaultName: maestroKeyVaultName
     kvCertOfficerManagedIdentityName: maestroKeyVaultCertOfficerMSIName
     publicNetworkAccess: 'Enabled'
+    minimumTlsVersionAllowed: eventGridMinimumTlsVersionAllowed
   }
 }