From 7c44b883bfad7aae02f8ce54d15a6fdfe22654a3 Mon Sep 17 00:00:00 2001
From: Chetan Giradkar <cgiradka@redhat.com>
Date: Fri, 4 Oct 2024 11:25:05 +0100
Subject: [PATCH] make --directory=cluster-service personal-runtime-config

---
 cluster-service/Makefile                      |  8 +++-
 cluster-service/config.tmpl.mk                |  1 +
 .../arohcp-service-template.yml               | 41 +++++++++++++++++++
 config/config.yaml                            |  2 +-
 config/public-cloud-cs-pr.json                |  3 +-
 config/public-cloud-dev.json                  |  3 +-
 config/public-cloud-personal-dev.json         |  3 +-
 7 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/cluster-service/Makefile b/cluster-service/Makefile
index f45e4a8ad..1d46ff32b 100644
--- a/cluster-service/Makefile
+++ b/cluster-service/Makefile
@@ -12,6 +12,8 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR
 	OIDC_CONTAINER="$$web" && \
 	OCP_ACR_URL=$(shell az acr show -n ${OCP_ACR_NAME} --query loginServer -o tsv) && \
 	OCP_ACR_RESOURCE_ID=$(shell az acr show -n ${OCP_ACR_NAME} --query id -o tsv) && \
+	AZURE_ARM_HELPER_IDENTITY_CLIENT_ID=$(shell az ad app list --display-name aro-dev-arm-helper --query '[*]'.appId -o tsv) && \
+	AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID=$(shell az ad sp list --display-name aro-dev-first-party --query "[*].id" -o tsv) && \
 	oc process --local -f deploy/openshift-templates/arohcp-service-template.yml \
 	  -p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \
 	  -p TENANT_ID=$${TENANT_ID} \
@@ -26,7 +28,11 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR
 	  -p OCP_ACR_RESOURCE_ID=$${OCP_ACR_RESOURCE_ID} \
 	  -p OCP_ACR_URL=$${OCP_ACR_URL} \
 	  -p DATABASE_DISABLE_TLS=${DATABASE_DISABLE_TLS} \
-	  -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} | oc apply -f -
+	  -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} \
+	  -p AZURE_ARM_HELPER_IDENTITY_CLIENT_ID=${AZURE_ARM_HELPER_IDENTITY_CLIENT_ID} \
+	  -p AZURE_ARM_HELPER_IDENTITY_CERT_NAME=${MOCK_FPA_CERT_NAME} \
+	  -p AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID=${AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID} \
+	  | oc apply -f -
 
 deploy-namespace-template:
 	ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${RESOURCEGROUP} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \
diff --git a/cluster-service/config.tmpl.mk b/cluster-service/config.tmpl.mk
index 8628c44aa..1fbfed06b 100644
--- a/cluster-service/config.tmpl.mk
+++ b/cluster-service/config.tmpl.mk
@@ -11,6 +11,7 @@ ACR_NAME ?= {{ .svcAcrName }}
 OCP_ACR_NAME ?= {{ .ocpAcrName }}
 AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID ?= {{ .firstPartyAppClientId }}
 FPA_CERT_NAME ?= firstPartyCert
+MOCK_FPA_CERT_NAME ?= armHelperCert
 ZONE_NAME ?= {{ .regionalDNSSubdomain }}.{{ .baseDnsZoneName }}
 
 DATABASE_DISABLE_TLS ?= {{ not .clusterServicePostgresDeploy }}
diff --git a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
index 3ea72a690..f8e47f802 100644
--- a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
+++ b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
@@ -247,6 +247,15 @@ parameters:
 - name: DATABASE_AUTH_METHOD
   description: "Authentication method to use when connecting to the database. Accepted values are 'az-entra', 'postgres'"
   value: "az-entra"
+- name: AZURE_ARM_HELPER_IDENTITY_CLIENT_ID
+  description: The client id of the service principal that represents the ARM Helper Identity.
+  value: ""
+- name: AZURE_ARM_HELPER_IDENTITY_CERT_NAME
+  description: The name of the secret that contains the ARM Helper Indentity certificate bundle.
+  value: ""
+- name: AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID
+  description: The principal id of the service principal that represents the ARM Helper Identity
+  value: ""
 
 objects:
 
@@ -270,6 +279,26 @@ objects:
       usePodIdentity: "false"
     provider: azure
 
+- apiVersion: secrets-store.csi.x-k8s.io/v1
+  kind: SecretProviderClass
+  metadata:
+    name: arm-identity
+    namespace: ${NAMESPACE}
+  spec:
+    parameters:
+      clientID: ${AZURE_CS_MI_CLIENT_ID}
+      cloudName: AzurePublicCloud
+      keyvaultName: ${SERVICE_KEYVAULT_NAME}
+      objects: |-
+        array:
+          - |
+            objectName: ${AZURE_ARM_HELPER_IDENTITY_CERT_NAME}
+            objectType: secret
+            objectAlias: armHelperIndentityCertificateBundle
+      tenantId: ${TENANT_ID}
+      usePodIdentity: "false"
+    provider: azure
+
 - apiVersion: v1
   kind: ConfigMap
   metadata:
@@ -555,6 +584,12 @@ objects:
         - name: azure-credentials
           secret:
             secretName: azure-credentials
+        - name: arm-identity
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: arm-identity
         - name: keyvault
           csi:
             driver: secrets-store.csi.k8s.io
@@ -624,6 +659,9 @@ objects:
           - name: azure-operators-managed-identities-config
             mountPath: /configs/azure-operators-managed-identities-config.yaml
             subPath: azure-operators-managed-identities-config.yaml
+          - name: arm-identity
+            mountPath: /secrets/arm-identity
+            readOnly: true
           env:
           - name: NAMESPACE
             valueFrom:
@@ -676,6 +714,9 @@ objects:
           - --azure-first-party-application-certificate-bundle-path=/secrets/keyvault/firstPartyApplicationCertificateBundle
           - --azure-runtime-config-path=/configs/azure-runtime-config/config.json
           - --azure-operators-managed-identities-config-path=/configs/azure-operators-managed-identities-config.yaml
+          - --azure-arm-helper-identity-certificate-bundle-path=/secrets/arm-identity/armHelperIndentityCertificateBundle
+          - --azure-arm-helper-identity-client-id=${AZURE_ARM_HELPER_IDENTITY_CLIENT_ID}
+          - --azure-arm-helper-mock-fpa-principal-id=${AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID}
           livenessProbe:
             httpGet:
               path: /api/clusters_mgmt/v1
diff --git a/config/config.yaml b/config/config.yaml
index 5eba0d0a3..5444d2818 100644
--- a/config/config.yaml
+++ b/config/config.yaml
@@ -115,7 +115,7 @@ clouds:
       maestroImageBase: quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro
       maestroImageTag: ea066c250a002f0cc458711945165591bc9f6d3f
       # Cluster Service
-      clusterServiceImageTag: a23276d
+      clusterServiceImageTag: 356f85d
       clusterServiceImageRepo: app-sre/uhc-clusters-service
       # Hypershift Operator
       hypershiftOperatorImageTag: a95fc46
diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
index 9545a84ff..c335f0a02 100644
--- a/config/public-cloud-cs-pr.json
+++ b/config/public-cloud-cs-pr.json
@@ -6,7 +6,7 @@
   "baseDnsZoneRG": "global",
   "clusterServiceAcrRG": "global",
   "clusterServiceImageRepo": "app-sre/uhc-clusters-service",
-  "clusterServiceImageTag": "a23276d",
+  "clusterServiceImageTag": "356f85d",
   "clusterServicePostgresDeploy": true,
   "clusterServicePostgresName": "arohcp-cs-cspr",
   "clusterServicePostgresPrivate": false,
@@ -16,6 +16,7 @@
   "externalDNSImageTag": "v0.14.2",
   "externalDNSManagedIdentityName": "external-dns",
   "externalDNSServiceAccountName": "external-dns",
+  "extraVars": {},
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontendCosmosDBDeploy": true,
   "frontendCosmosDBDisableLocalAuth": true,
diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
index b642989bc..f60703573 100644
--- a/config/public-cloud-dev.json
+++ b/config/public-cloud-dev.json
@@ -6,7 +6,7 @@
   "baseDnsZoneRG": "global",
   "clusterServiceAcrRG": "global",
   "clusterServiceImageRepo": "app-sre/uhc-clusters-service",
-  "clusterServiceImageTag": "a23276d",
+  "clusterServiceImageTag": "356f85d",
   "clusterServicePostgresDeploy": true,
   "clusterServicePostgresName": "arohcp-cs-dev",
   "clusterServicePostgresPrivate": false,
@@ -16,6 +16,7 @@
   "externalDNSImageTag": "v0.14.2",
   "externalDNSManagedIdentityName": "external-dns",
   "externalDNSServiceAccountName": "external-dns",
+  "extraVars": {},
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontendCosmosDBDeploy": true,
   "frontendCosmosDBDisableLocalAuth": true,
diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
index a5845caba..7389a97fb 100644
--- a/config/public-cloud-personal-dev.json
+++ b/config/public-cloud-personal-dev.json
@@ -6,7 +6,7 @@
   "baseDnsZoneRG": "global",
   "clusterServiceAcrRG": "global",
   "clusterServiceImageRepo": "app-sre/uhc-clusters-service",
-  "clusterServiceImageTag": "a23276d",
+  "clusterServiceImageTag": "356f85d",
   "clusterServicePostgresDeploy": false,
   "clusterServicePostgresName": "arohcp-cs-usw3tst",
   "clusterServicePostgresPrivate": false,
@@ -16,6 +16,7 @@
   "externalDNSImageTag": "v0.14.2",
   "externalDNSManagedIdentityName": "external-dns",
   "externalDNSServiceAccountName": "external-dns",
+  "extraVars": {},
   "firstPartyAppClientId": "57e54810-3138-4f38-bd3b-29cb33f4c358",
   "frontendCosmosDBDeploy": true,
   "frontendCosmosDBDisableLocalAuth": true,