diff --git a/cluster-service/Makefile b/cluster-service/Makefile index 68000b3a2..119ac7de3 100644 --- a/cluster-service/Makefile +++ b/cluster-service/Makefile @@ -11,6 +11,8 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR OIDC_ISSUER_BASE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.web -o tsv) && \ OCP_ACR_URL=$(shell az acr show -n ${OCP_ACR_NAME} --query loginServer -o tsv) && \ OCP_ACR_RESOURCE_ID=$(shell az acr show -n ${OCP_ACR_NAME} --query id -o tsv) && \ + AZURE_ARM_HELPER_IDENTITY_CLIENT_ID=$(shell az ad app list --display-name aro-dev-arm-helper --query '[*]'.appId -o tsv) && \ + AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID=$(shell az ad sp list --display-name aro-dev-first-party --query "[*].id" -o tsv) && \ oc process --local -f deploy/openshift-templates/arohcp-service-template.yml \ -p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \ -p TENANT_ID=$${TENANT_ID} \ @@ -30,7 +32,11 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID} \ -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID} \ -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME=${MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME} \ - -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} | oc apply -f - + -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} \ + -p AZURE_ARM_HELPER_IDENTITY_CLIENT_ID=${AZURE_ARM_HELPER_IDENTITY_CLIENT_ID} \ + -p AZURE_ARM_HELPER_IDENTITY_CERT_NAME=${ARM_HELPER_CERT_NAME} \ + -p AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID=${AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID} \ + | oc apply -f - deploy-namespace-template: ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${RESOURCEGROUP} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \ diff --git a/cluster-service/config.tmpl.mk b/cluster-service/config.tmpl.mk index ddfb96b20..338b683f9 100644 --- a/cluster-service/config.tmpl.mk +++ b/cluster-service/config.tmpl.mk @@ -14,6 +14,7 @@ FPA_CERT_NAME ?= firstPartyCert AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID ?= {{ .miMockPrincipalId }} AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID ?= {{ .miMockClientId }} MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME ?= msiMockCert +ARM_HELPER_CERT_NAME ?= armHelperCert ZONE_NAME ?= {{ .regionalDNSSubdomain }}.{{ .baseDnsZoneName }} DATABASE_DISABLE_TLS ?= {{ not .clusterService.postgres.deploy }} diff --git a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml index 16d1a5eca..53476bc51 100644 --- a/cluster-service/deploy/openshift-templates/arohcp-service-template.yml +++ b/cluster-service/deploy/openshift-templates/arohcp-service-template.yml @@ -252,6 +252,14 @@ parameters: value: "" - name: OIDC_ISSUER_BASE_URL description: "OIDC base issuer URL, e.g. https://.z1.web.core.windows.net/" +- name: AZURE_ARM_HELPER_IDENTITY_CLIENT_ID + description: The client id of the service principal that represents the ARM Helper Identity. + value: "" +- name: AZURE_ARM_HELPER_IDENTITY_CERT_NAME + description: The name of the secret that contains the ARM Helper Indentity certificate bundle. + value: "" +- name: AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID + description: The principal id of the service principal that represents the mock first party application identity value: "" - name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME description: The name of the secret that contains the mock managed identities certificate bundle. @@ -284,6 +292,10 @@ objects: objectName: ${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME} objectType: secret objectAlias: mockMiServicePrincipalCertificateBundle + - | + objectName: ${AZURE_ARM_HELPER_IDENTITY_CERT_NAME} + objectType: secret + objectAlias: armHelperIndentityCertificateBundle tenantId: ${TENANT_ID} usePodIdentity: "false" provider: azure @@ -705,6 +717,9 @@ objects: - --azure-mi-mock-service-principal-certificate-bundle-path=/secrets/keyvault/mockMiServicePrincipalCertificateBundle - --azure-mi-mock-service-principal-client-id=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID} - --azure-mi-mock-service-principal-principal-id=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID} + - --azure-arm-helper-identity-certificate-bundle-path=/secrets/keyvault/armHelperIndentityCertificateBundle + - --azure-arm-helper-identity-client-id=${AZURE_ARM_HELPER_IDENTITY_CLIENT_ID} + - --azure-arm-helper-mock-fpa-principal-id=${AZURE_ARM_HELPER_MOCK_FPA_PRINCIPAL_ID} livenessProbe: httpGet: path: /api/clusters_mgmt/v1