Merge pull request #695 from Azure/ARO-10633-ARM-Helper-Identity

ARO-10633 | Add ARM Helper Indentity supporting properties
Azure · Dec 2, 2024 · 9b050c3 · 9b050c3
2 parents da58d4b + e6169d4
commit 9b050c3
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/cluster-service/Makefile b/cluster-service/Makefile
@@ -11,6 +11,8 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR
 	OIDC_ISSUER_BASE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.web -o tsv) && \
 	OCP_ACR_URL=$(shell az acr show -n ${OCP_ACR_NAME} --query loginServer -o tsv) && \
 	OCP_ACR_RESOURCE_ID=$(shell az acr show -n ${OCP_ACR_NAME} --query id -o tsv) && \
+	AZURE_ARM_HELPER_IDENTITY_CLIENT_ID=$(shell az ad app list --display-name aro-dev-arm-helper --query '[*]'.appId -o tsv) && \
+	AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID=$(shell az ad sp list --display-name aro-dev-first-party --query "[*].id" -o tsv) && \
 	oc process --local -f deploy/openshift-templates/arohcp-service-template.yml \
 	  -p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \
 	  -p TENANT_ID=$${TENANT_ID} \
@@ -30,7 +32,11 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR
 	  -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID} \
 	  -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID} \
 	  -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME=${MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME} \
-	  -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} | oc apply -f -
+	  -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} \
+	  -p AZURE_ARM_HELPER_IDENTITY_CLIENT_ID=${AZURE_ARM_HELPER_IDENTITY_CLIENT_ID} \
+	  -p AZURE_ARM_HELPER_IDENTITY_CERT_NAME=${ARM_HELPER_CERT_NAME} \
+	  -p AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID=${AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID} \
+	  | oc apply -f -
 
 deploy-namespace-template:
 	ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${RESOURCEGROUP} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \

diff --git a/cluster-service/config.tmpl.mk b/cluster-service/config.tmpl.mk
@@ -14,6 +14,7 @@ FPA_CERT_NAME ?= firstPartyCert
 AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID ?= {{ .miMockPrincipalId }}
 AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID ?= {{ .miMockClientId }}
 MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME ?= msiMockCert
+ARM_HELPER_CERT_NAME ?= armHelperCert
 ZONE_NAME ?= {{ .regionalDNSSubdomain }}.{{ .baseDnsZoneName }}
 
 DATABASE_DISABLE_TLS ?= {{ not .clusterService.postgres.deploy }}

diff --git a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml
@@ -252,6 +252,14 @@ parameters:
   value: ""
 - name: OIDC_ISSUER_BASE_URL
   description: "OIDC base issuer URL, e.g. https://<storage-account>.z1.web.core.windows.net/"
+- name: AZURE_ARM_HELPER_IDENTITY_CLIENT_ID
+  description: The client id of the service principal that represents the ARM Helper Identity.
+  value: ""
+- name: AZURE_ARM_HELPER_IDENTITY_CERT_NAME
+  description: The name of the secret that contains the ARM Helper Indentity certificate bundle.
+  value: ""
+- name: AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID
+  description: The principal id of the service principal that represents the mock first party application identity
   value: ""
 - name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME
   description: The name of the secret that contains the mock managed identities certificate bundle.
@@ -284,6 +292,10 @@ objects:
             objectName: ${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME}
             objectType: secret
             objectAlias: mockMiServicePrincipalCertificateBundle
+          - |
+            objectName: ${AZURE_ARM_HELPER_IDENTITY_CERT_NAME}
+            objectType: secret
+            objectAlias: armHelperIndentityCertificateBundle
       tenantId: ${TENANT_ID}
       usePodIdentity: "false"
     provider: azure
@@ -705,6 +717,9 @@ objects:
           - --azure-mi-mock-service-principal-certificate-bundle-path=/secrets/keyvault/mockMiServicePrincipalCertificateBundle
           - --azure-mi-mock-service-principal-client-id=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID}
           - --azure-mi-mock-service-principal-principal-id=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID}
+          - --azure-arm-helper-identity-certificate-bundle-path=/secrets/keyvault/armHelperIndentityCertificateBundle
+          - --azure-arm-helper-identity-client-id=${AZURE_ARM_HELPER_IDENTITY_CLIENT_ID}
+          - --azure-arm-helper-mock-fpa-principal-id=${AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID}
           livenessProbe:
             httpGet:
               path: /api/clusters_mgmt/v1