diff --git a/.github/workflows/aro-hcp-cd.yml b/.github/workflows/aro-hcp-cd.yml index 651a2d3c3..f99b26dff 100644 --- a/.github/workflows/aro-hcp-cd.yml +++ b/.github/workflows/aro-hcp-cd.yml @@ -70,7 +70,7 @@ cd dev-infrastructure/ # Manage ACR - make acr-svc acr-ocp + make global acr-svc acr-ocp # Setup operator roles for platform workload identity make operator-roles diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 83bf33a02..752056f63 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -8,6 +8,8 @@ defaults: global: rg: b-gerdo-global-shared-resources subscription: hcp-{{ .ctx.region }} + manageTokenCustomRole: false + region: uksouth # General AKS config kubernetesVersion: 1.30.5 @@ -17,9 +19,6 @@ defaults: podSubnetPrefix: "10.128.64.0/18" aksName: aro-hcp-aks - # ACR - serviceComponentAcrResourceGroups: '{{ .ctx.region }}-shared-resources' - # Hypershift hypershift: namespace: hypershift @@ -72,7 +71,7 @@ defaults: # Cluster Service clusterService: - #acrRG: '{{ .ctx.region }}-shared-resources' + #acrRG: 'b-gerdo-global-shared-resources' acrRG: '' postgres: name: arohcp-cs-{{ .ctx.regionShort }} @@ -171,7 +170,6 @@ clouds: regionalDNSSubdomain: '{{ .ctx.region }}' # ACR - acrName: arohcpint svcAcrName: arohcpsvcint ocpAcrName: arohcpocpint diff --git a/config/config.schema.json b/config/config.schema.json index e3ef80475..e49648d2f 100644 --- a/config/config.schema.json +++ b/config/config.schema.json @@ -3,9 +3,6 @@ "title": "Generated schema for Root", "type": "object", "properties": { - "acrName": { - "type": "string" - }, "aksName": { "type": "string" }, @@ -150,11 +147,19 @@ }, "subscription": { "type": "string" + }, + "manageTokenCustomRole": { + "type": "boolean" + }, + "region": { + "type": "string" } }, "required": [ "rg", - "subscription" + "subscription", + "manageTokenCustomRole", + "region" ] }, "hypershift": { @@ -507,9 +512,6 @@ "regionalDNSSubdomain": { "type": "string" }, - "serviceComponentAcrResourceGroups": { - "type": "string" - }, "serviceKeyVault": { "type": "object", "properties": { @@ -612,7 +614,6 @@ }, "additionalProperties": false, "required": [ - "acrName", "aksName", "aroDevopsMsiId", "baseDnsZoneName", @@ -640,7 +641,6 @@ "region", "regionRG", "regionalDNSSubdomain", - "serviceComponentAcrResourceGroups", "serviceKeyVault", "subnetPrefix", "svc", diff --git a/config/config.yaml b/config/config.yaml index 38df15805..107a832ab 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -4,8 +4,10 @@ defaults: regionRG: hcp-underlay-{{ .ctx.regionShort }} global: - rg: global-shared-resources + rg: global subscription: hcp-{{ .ctx.region }} + manageTokenCustomRole: true + region: westus3 # General AKS config kubernetesVersion: 1.30.5 @@ -15,9 +17,6 @@ defaults: podSubnetPrefix: "10.128.64.0/18" aksName: aro-hcp-aks - # ACR - serviceComponentAcrResourceGroups: global - # Hypershift hypershift: namespace: hypershift @@ -182,7 +181,6 @@ clouds: kvSoftDelete: false subscription: ARO Hosted Control Planes (EA Subscription 1) # Shared ACRs - acrName: arohcpdev svcAcrName: arohcpsvcdev ocpAcrName: arohcpocpdev # Shared Image Sync diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 526f1bfc6..75703a885 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -1,5 +1,4 @@ { - "acrName": "arohcpdev", "aksName": "aro-hcp-aks", "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aro-hcp-devops", "baseDnsZoneName": "hcp.osadev.cloud", @@ -34,7 +33,9 @@ } }, "global": { - "rg": "global-shared-resources", + "manageTokenCustomRole": true, + "region": "westus3", + "rg": "global", "subscription": "hcp-westus3" }, "hypershift": { @@ -127,7 +128,6 @@ "region": "westus3", "regionRG": "hcp-underlay-cspr", "regionalDNSSubdomain": "westus3-cs", - "serviceComponentAcrResourceGroups": "global", "serviceKeyVault": { "name": "aro-hcp-dev-svc-kv", "private": false, diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index aff10772b..a37f118cd 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -1,5 +1,4 @@ { - "acrName": "arohcpdev", "aksName": "aro-hcp-aks", "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aro-hcp-devops", "baseDnsZoneName": "hcp.osadev.cloud", @@ -34,7 +33,9 @@ } }, "global": { - "rg": "global-shared-resources", + "manageTokenCustomRole": true, + "region": "westus3", + "rg": "global", "subscription": "hcp-westus3" }, "hypershift": { @@ -127,7 +128,6 @@ "region": "westus3", "regionRG": "hcp-underlay-dev", "regionalDNSSubdomain": "westus3", - "serviceComponentAcrResourceGroups": "global", "serviceKeyVault": { "name": "aro-hcp-dev-svc-kv", "private": false, diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 6c5aaa7a2..fedaab0ec 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -1,5 +1,4 @@ { - "acrName": "arohcpint", "aksName": "aro-hcp-aks", "aroDevopsMsiId": "/subscriptions/5299e6b7-b23b-46c8-8277-dc1147807117/resourcegroups/global-shared-resources/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aroint-int-public-oidc", "baseDnsZoneName": "aro-hcp.azure-test.net", @@ -34,6 +33,8 @@ } }, "global": { + "manageTokenCustomRole": false, + "region": "uksouth", "rg": "b-gerdo-global-shared-resources", "subscription": "hcp-westus3" }, @@ -127,7 +128,6 @@ "region": "westus3", "regionRG": "westus3-shared-resources", "regionalDNSSubdomain": "westus3", - "serviceComponentAcrResourceGroups": "westus3-shared-resources", "serviceKeyVault": { "name": "arohcp-svc-int", "private": false, diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index a7af73a3c..b3ac7a8a8 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -1,5 +1,4 @@ { - "acrName": "arohcpdev", "aksName": "aro-hcp-aks", "aroDevopsMsiId": "/subscriptions/1d3378d3-5a3f-4712-85a1-2485495dfc4b/resourceGroups/global/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aro-hcp-devops", "baseDnsZoneName": "hcp.osadev.cloud", @@ -34,7 +33,9 @@ } }, "global": { - "rg": "global-shared-resources", + "manageTokenCustomRole": true, + "region": "westus3", + "rg": "global", "subscription": "hcp-westus3" }, "hypershift": { @@ -127,7 +128,6 @@ "region": "westus3", "regionRG": "hcp-underlay-usw3tst", "regionalDNSSubdomain": "usw3tst", - "serviceComponentAcrResourceGroups": "global", "serviceKeyVault": { "name": "aro-hcp-dev-svc-kv", "private": false, diff --git a/dev-infrastructure/.gitignore b/dev-infrastructure/.gitignore index a4c761b68..ba9a08f5b 100644 --- a/dev-infrastructure/.gitignore +++ b/dev-infrastructure/.gitignore @@ -7,4 +7,6 @@ configurations/acr-ocp.bicepparam configurations/image-sync.bicepparam configurations/dev-role-assignments.bicepparam configurations/cs-integ-msi.bicepparam +configurations/mock-identities.bicepparam +configurations/global.bicepparam config.mk diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index 14e3bca82..3305fed36 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -367,7 +367,27 @@ global.rg: fi .PHONY: global.rg -acr-svc: global.rg +global: global.rg + @./ensure-no-running-deployment.sh $(GLOBAL_RESOURCEGROUP) ${GLOBAL_RG_DEPLOYMENT_NAME}-acr + az deployment group create \ + --name ${GLOBAL_RG_DEPLOYMENT_NAME}-acr \ + --resource-group $(GLOBAL_RESOURCEGROUP) \ + --template-file templates/global.bicep \ + $(PROMPT_TO_CONFIRM) \ + --parameters \ + configurations/global.bicepparam + +global.what-if: global.rg + az deployment group what-if \ + --name ${GLOBAL_RG_DEPLOYMENT_NAME}-acr \ + --resource-group $(GLOBAL_RESOURCEGROUP) \ + --template-file templates/global.bicep \ + --parameters \ + configurations/global.bicepparam + --parameters \ + location=westus3 + +acr-svc: global @./ensure-no-running-deployment.sh $(GLOBAL_RESOURCEGROUP) ${GLOBAL_RG_DEPLOYMENT_NAME}-acr-svc az deployment group create \ --name ${GLOBAL_RG_DEPLOYMENT_NAME}-acr-svc \ @@ -387,7 +407,7 @@ acr-svc.what-if: global.rg configurations/acr-svc.bicepparam .PHONY: acr-svc.what-if -acr-ocp: global.rg +acr-ocp: global @./ensure-no-running-deployment.sh $(GLOBAL_RESOURCEGROUP) ${GLOBAL_RG_DEPLOYMENT_NAME}-acr-ocp az deployment group create \ --name ${GLOBAL_RG_DEPLOYMENT_NAME}-acr-ocp \ @@ -493,7 +513,7 @@ operator-roles.what-if: # Common # -what-if: acr-svc.what-if acr-ocp.what-if region.what-if svc.what-if mgmt.what-if metrics-infra.what-if imagesync.what-if operator-roles.what-if +what-if: global.what-if acr-svc.what-if acr-ocp.what-if region.what-if svc.what-if mgmt.what-if metrics-infra.what-if imagesync.what-if operator-roles.what-if .PHONY: what-if infra: region svc.init mgmt.init diff --git a/dev-infrastructure/configurations/acr-ocp.tmpl.bicepparam b/dev-infrastructure/configurations/acr-ocp.tmpl.bicepparam index 7c7128020..b250ce0bb 100644 --- a/dev-infrastructure/configurations/acr-ocp.tmpl.bicepparam +++ b/dev-infrastructure/configurations/acr-ocp.tmpl.bicepparam @@ -1,8 +1,6 @@ using '../templates/dev-acr.bicep' param acrName = '{{ .ocpAcrName }}' -param acrSku = 'Premium' -param location = '{{ .region }}' param quayRepositoriesToCache = [ { diff --git a/dev-infrastructure/configurations/acr-svc.tmpl.bicepparam b/dev-infrastructure/configurations/acr-svc.tmpl.bicepparam index 6e345b603..24e8dc413 100644 --- a/dev-infrastructure/configurations/acr-svc.tmpl.bicepparam +++ b/dev-infrastructure/configurations/acr-svc.tmpl.bicepparam @@ -1,8 +1,6 @@ using '../templates/dev-acr.bicep' param acrName = '{{ .svcAcrName }}' -param acrSku = 'Premium' -param location = '{{ .region }}' param quayRepositoriesToCache = [ { diff --git a/dev-infrastructure/configurations/global.tmpl.bicepparam b/dev-infrastructure/configurations/global.tmpl.bicepparam new file mode 100644 index 000000000..36dc440be --- /dev/null +++ b/dev-infrastructure/configurations/global.tmpl.bicepparam @@ -0,0 +1,11 @@ +using '../templates/global.bicep' + +param svcAcrName = '{{ .svcAcrName }}' +param svcAcrSku = 'Premium' + +param ocpAcrName = '{{ .ocpAcrName }}' +param ocpAcrSku = 'Premium' + +param location = '{{ .global.region }}' + +param manageTokenRole = {{ .global.manageTokenCustomRole }} diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam index 0a76a89c7..d80c5cacf 100644 --- a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam @@ -32,7 +32,7 @@ param externalDNSServiceAccountName = '{{ .hypershift.externalDNSServiceAccountN param regionalDNSZoneName = '{{ .regionalDNSSubdomain}}.{{ .baseDnsZoneName }}' // ACR -param acrPullResourceGroups = ['{{ .serviceComponentAcrResourceGroups }}'] +param acrPullResourceGroups = ['{{ .global.rg }}'] // Region param regionalResourceGroup = '{{ .regionRG }}' diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam index 98c845bf0..b4eac42da 100644 --- a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam +++ b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam @@ -41,7 +41,7 @@ param serviceKeyVaultLocation = '{{ .serviceKeyVault.region }}' param serviceKeyVaultSoftDelete = {{ .serviceKeyVault.softDelete }} param serviceKeyVaultPrivate = {{ .serviceKeyVault.private }} -param acrPullResourceGroups = ['{{ .serviceComponentAcrResourceGroups }}'] +param acrPullResourceGroups = ['{{ .global.rg }}'] param clustersServiceAcrResourceGroupNames = ['{{ .clusterService.acrRG }}'] param oidcStorageAccountName = '{{ .oidcStorageAccountName }}' diff --git a/dev-infrastructure/modules/acr-permissions.bicep b/dev-infrastructure/modules/acr/acr-permissions.bicep similarity index 96% rename from dev-infrastructure/modules/acr-permissions.bicep rename to dev-infrastructure/modules/acr/acr-permissions.bicep index b0618c2b8..785f140ab 100644 --- a/dev-infrastructure/modules/acr-permissions.bicep +++ b/dev-infrastructure/modules/acr/acr-permissions.bicep @@ -52,8 +52,10 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if } } +import * as tmr from 'token-mgmt-role.bicep' + resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess) { - name: guid(acrResourceGroupid, 'token-creation-role') + name: guid(tmr.tokenManagementRoleName) } resource acrContributorRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (grantManageTokenAccess) { diff --git a/dev-infrastructure/modules/acr/acr.bicep b/dev-infrastructure/modules/acr/acr.bicep index a2659fa09..864562e39 100644 --- a/dev-infrastructure/modules/acr/acr.bicep +++ b/dev-infrastructure/modules/acr/acr.bicep @@ -56,8 +56,3 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', acrPullRoleId) } } - -module tokenMgmtRole 'token-mgmt-role.bicep' = { - name: 'acr-token-mgmt-role' - scope: subscription() -} diff --git a/dev-infrastructure/modules/acr/token-mgmt-role.bicep b/dev-infrastructure/modules/acr/token-mgmt-role.bicep index 386c427c8..a6aa67cf5 100644 --- a/dev-infrastructure/modules/acr/token-mgmt-role.bicep +++ b/dev-infrastructure/modules/acr/token-mgmt-role.bicep @@ -1,9 +1,12 @@ targetScope = 'subscription' +@export() +var tokenManagementRoleName = 'token-mgmt-role' + resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = { - name: guid('token-mgmt-role') + name: guid(tokenManagementRoleName) properties: { - roleName: 'ACR Manage Tokens' + roleName: 'ARO HCP ACR Token Management' type: 'customRole' assignableScopes: [ subscription().id diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep index 2af685289..b16f513a1 100644 --- a/dev-infrastructure/modules/aks-cluster-base.bicep +++ b/dev-infrastructure/modules/aks-cluster-base.bicep @@ -422,7 +422,7 @@ resource acrRg 'Microsoft.Resources/resourceGroups@2023-07-01' existing = [ } ] -module acrPullRole 'acr-permissions.bicep' = [ +module acrPullRole 'acr/acr-permissions.bicep' = [ for (_, i) in acrPullResourceGroups: { name: guid(acrRg[i].id, aksCluster.id, acrPullRoleDefinitionId) scope: acrRg[i] diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep index 569f6699e..fd3c4436f 100644 --- a/dev-infrastructure/modules/cluster-service.bicep +++ b/dev-infrastructure/modules/cluster-service.bicep @@ -157,7 +157,7 @@ resource clustersServiceAcrResourceGroups 'Microsoft.Resources/resourceGroups@20 } ] -module acrManageTokenRole '../modules/acr-permissions.bicep' = [ +module acrManageTokenRole '../modules/acr/acr-permissions.bicep' = [ for (_, i) in acrResourceGroupNames: if (acrResourceGroupNames[i] != '') { // temp hack for MSFT pipelines name: guid(clustersServiceAcrResourceGroups[i].id, resourceGroup().name, 'clusters-service', 'manage-tokens') diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml index 0032351ea..6a341c1ac 100644 --- a/dev-infrastructure/svc-pipeline.yaml +++ b/dev-infrastructure/svc-pipeline.yaml @@ -32,8 +32,8 @@ resourceGroups: steps: - name: acr-ocp action: ARM - template: templates/dev-acr.bicep - parameters: configurations/acr-ocp.tmpl.bicepparam + template: templates/global.bicep + parameters: configurations/global.tmpl.bicepparam # # A T T E M P T 1 diff --git a/dev-infrastructure/templates/dev-acr.bicep b/dev-infrastructure/templates/dev-acr.bicep index 6b6d7e24c..f3eef6c2d 100644 --- a/dev-infrastructure/templates/dev-acr.bicep +++ b/dev-infrastructure/templates/dev-acr.bicep @@ -3,12 +3,6 @@ @description('Globally unique name of the Azure Container Registry') param acrName string -@description('Location of the registry.') -param location string = resourceGroup().location - -@description('Service tier of the Azure Container Registry.') -param acrSku string - @description('List of quay repositories to cache in the Azure Container Registry.') param quayRepositoriesToCache array = [] @@ -22,24 +16,12 @@ resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = { name: keyVaultName } -module acr '../modules/acr/acr.bicep' = { - name: '${deployment().name}-acrName' - params: { - acrName: acrName - location: location - acrSku: acrSku - } -} - resource acrResource 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' existing = { name: acrName } resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = [ for repo in quayRepositoriesToCache: { - dependsOn: [ - acr - ] name: repo.ruleName parent: acrResource identity: { @@ -60,9 +42,6 @@ resource pullCredential 'Microsoft.ContainerRegistry/registries/credentialSets@2 resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = [ for (repo, i) in quayRepositoriesToCache: { - dependsOn: [ - acr - ] name: repo.ruleName parent: acrResource properties: { @@ -75,9 +54,6 @@ resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01 resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for (repo, i) in quayRepositoriesToCache: { - dependsOn: [ - acr - ] scope: keyVault name: guid(keyVault.id, 'quayPullSecrets', 'read', repo.ruleName, acrName) properties: { @@ -93,11 +69,8 @@ resource secretAccessPermission 'Microsoft.Authorization/roleAssignments@2022-04 resource purgeCached 'Microsoft.ContainerRegistry/registries/tasks@2019-04-01' = [ for purgeJob in purgeJobs: { - dependsOn: [ - acr - ] name: '${purgeJob.name}' - location: location + location: resourceGroup().location parent: acrResource properties: { agentConfiguration: { diff --git a/dev-infrastructure/templates/global.bicep b/dev-infrastructure/templates/global.bicep new file mode 100644 index 000000000..8b67d75b1 --- /dev/null +++ b/dev-infrastructure/templates/global.bicep @@ -0,0 +1,32 @@ +param ocpAcrName string +param ocpAcrSku string + +param svcAcrName string +param svcAcrSku string + +param location string + +param manageTokenRole bool + +module ocpAcr '../modules/acr/acr.bicep' = { + name: '${deployment().name}-${ocpAcrName}' + params: { + acrName: ocpAcrName + acrSku: ocpAcrSku + location: location + } +} + +module svcAcr '../modules/acr/acr.bicep' = { + name: '${deployment().name}-${svcAcrSku}' + params: { + acrName: svcAcrName + acrSku: svcAcrSku + location: location + } +} + +module tokenMgmtRole '../modules/acr/token-mgmt-role.bicep' = if (manageTokenRole) { + name: 'acr-token-mgmt-role' + scope: subscription() +} diff --git a/dev-infrastructure/templates/image-sync.bicep b/dev-infrastructure/templates/image-sync.bicep index cac74219b..cfce0574b 100644 --- a/dev-infrastructure/templates/image-sync.bicep +++ b/dev-infrastructure/templates/image-sync.bicep @@ -83,7 +83,7 @@ resource uami 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { // ACRs can be in different RGs or even subscriptions. ideally we should // be able to deal with ACR resource IDs as input instead of RG and ACR names -module acrContributorRole '../modules/acr-permissions.bicep' = { +module acrContributorRole '../modules/acr/acr-permissions.bicep' = { name: guid(imageSyncManagedIdentity, location, 'acr', 'readwrite') scope: resourceGroup(acrResourceGroup) params: { @@ -93,7 +93,7 @@ module acrContributorRole '../modules/acr-permissions.bicep' = { } } -module acrPullRole '../modules/acr-permissions.bicep' = { +module acrPullRole '../modules/acr/acr-permissions.bicep' = { name: guid(imageSyncManagedIdentity, location, 'acr', 'pull') scope: resourceGroup(acrResourceGroup) params: {