Azure · janboll · Nov 28, 2024 · Nov 27, 2024 · miguelsorianod · Nov 27, 2024
@@ -27,6 +27,9 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR
 	  -p DATABASE_DISABLE_TLS=${DATABASE_DISABLE_TLS} \
 	  -p OIDC_ISSUER_BASE_URL=$${OIDC_ISSUER_BASE_ENDPOINT} \
 	  -p OIDC_ISSUER_BLOB_SERVICE_URL=$${OIDC_BLOB_SERVICE_ENDPOINT} \
+	  -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID} \
+	  -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID} \
+	  -p AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME=${MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME} \
 	  -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} | oc apply -f -
 
 deploy-namespace-template:

@@ -11,6 +11,9 @@ ACR_NAME ?= {{ .svcAcrName }}
 OCP_ACR_NAME ?= {{ .ocpAcrName }}
 AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID ?= {{ .firstPartyAppClientId }}
 FPA_CERT_NAME ?= firstPartyCert
+AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID ?= {{ .miMockPrincipalId }}
+AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID ?= {{ .miMockClientId }}
+MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME ?= msiMockCert
 ZONE_NAME ?= {{ .regionalDNSSubdomain }}.{{ .baseDnsZoneName }}
 
 DATABASE_DISABLE_TLS ?= {{ not .clusterService.postgres.deploy }}

@@ -253,6 +253,14 @@ parameters:
 - name: OIDC_ISSUER_BASE_URL
   description: "OIDC base issuer URL, e.g. https://<storage-account>.z1.web.core.windows.net/"
   value: ""
+- name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME
+  description: The name of the secret that contains the mock managed identities certificate bundle.
+- name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID
+  description: The client id of the mock managed identities service principal.
+  value: ""
+- name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID
+  description: The princiap id of the mock managed identities service principal.
+  value: ""
 
 objects:
 
@@ -272,6 +280,10 @@ objects:
             objectName: ${FPA_CERT_NAME}
             objectType: secret
             objectAlias: firstPartyApplicationCertificateBundle
+          - |
+            objectName: ${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CERT_NAME}
+            objectType: secret
+            objectAlias: mockMiServicePrincipalCertificateBundle
       tenantId: ${TENANT_ID}
       usePodIdentity: "false"
     provider: azure
@@ -690,6 +702,9 @@ objects:
           - --azure-first-party-application-certificate-bundle-path=/secrets/keyvault/firstPartyApplicationCertificateBundle
           - --azure-runtime-config-path=/configs/azure-runtime-config/config.json
           - --azure-operators-managed-identities-config-path=/configs/azure-operators-managed-identities-config.yaml
+          - --azure-mi-mock-service-principal-certificate-bundle-path=/secrets/keyvault/mockMiServicePrincipalCertificateBundle
+          - --azure-mi-mock-service-principal-client-id=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID}
+          - --azure-mi-mock-service-principal-principal-id=${AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID}
           livenessProbe:
             httpGet:
               path: /api/clusters_mgmt/v1

@@ -126,7 +126,7 @@ clouds:
       maestro:
         imageTag: ea066c250a002f0cc458711945165591bc9f6d3f
       clusterService:
-        imageTag: aac7623
+        imageTag: ecd15ad
         imageRepo: app-sre/uhc-clusters-service
       hypershiftOperator:
         imageTag: 9aca808
@@ -178,6 +178,11 @@ clouds:
           # 1P app
           firstPartyAppClientId: '??? the one used by CS to do first party stuff ???'
 
+          # Mock Managed Identities Service Princiapl.
+          # This is a stub identity to be used by CS in environments where the MI (formerly MSI) RP isn't available.
+          miMockClientId: ''
+          miMockPrincipalId: ''
+
           # disable KV softdelete for easy cleanup and recreate in INT
           cxKeyVault:
             softDelete: false

@@ -103,6 +103,12 @@
       "firstPartyAppClientId": {
         "type": "string"
       },
+      "miMockClientId": {
+        "type": "string"
+      },
+      "miMockPrincipalId": {
+        "type": "string"
+      },
       "frontend": {
         "type": "object",
         "properties": {

@@ -119,14 +119,17 @@ clouds:
       baseDnsZoneName: 'hcp.osadev.cloud'
       # 1P app
       firstPartyAppClientId: 57e54810-3138-4f38-bd3b-29cb33f4c358
+      # Mock Managed Identities Service Princiapl
+      miMockClientId: 4daa4e3b-abc1-4f9c-812c-77bd37e06741
+      miMockPrincipalId: a03f690c-4b2e-4eef-841e-f1904efe0e37
       # Maestro
       maestro:
         postgres:
           deploy: false
         imageTag: ea066c250a002f0cc458711945165591bc9f6d3f
       # Cluster Service
       clusterService:
-        imageTag: aac7623
+        imageTag: ecd15ad
         imageRepo: app-sre/uhc-clusters-service
       # Hypershift Operator
       hypershiftOperator:

@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "global",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "aac7623",
+    "imageTag": "ecd15ad",
     "postgres": {
       "deploy": true,
       "minTLSVersion": "TLSV1.2",
@@ -101,6 +101,8 @@
     "private": false,
     "softDelete": false
   },
+  "miMockClientId": "4daa4e3b-abc1-4f9c-812c-77bd37e06741",
+  "miMockPrincipalId": "a03f690c-4b2e-4eef-841e-f1904efe0e37",
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-cspr",

@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "global",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "aac7623",
+    "imageTag": "ecd15ad",
     "postgres": {
       "deploy": true,
       "minTLSVersion": "TLSV1.2",
@@ -101,6 +101,8 @@
     "private": false,
     "softDelete": false
   },
+  "miMockClientId": "4daa4e3b-abc1-4f9c-812c-77bd37e06741",
+  "miMockPrincipalId": "a03f690c-4b2e-4eef-841e-f1904efe0e37",
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-dev",

@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "westus3-shared-resources",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "aac7623",
+    "imageTag": "ecd15ad",
     "postgres": {
       "deploy": true,
       "minTLSVersion": "TLSV1.2",
@@ -101,6 +101,8 @@
     "private": false,
     "softDelete": false
   },
+  "miMockClientId": "",
+  "miMockPrincipalId": "",
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "??? the one to be used as Grafana Admin in grafana.bicep ???",
     "grafanaName": "arohcp-int",

@@ -7,7 +7,7 @@
   "clusterService": {
     "acrRG": "global",
     "imageRepo": "app-sre/uhc-clusters-service",
-    "imageTag": "aac7623",
+    "imageTag": "ecd15ad",
     "postgres": {
       "deploy": false,
       "minTLSVersion": "TLSV1.2",
@@ -101,6 +101,8 @@
     "private": false,
     "softDelete": false
   },
+  "miMockClientId": "4daa4e3b-abc1-4f9c-812c-77bd37e06741",
+  "miMockPrincipalId": "a03f690c-4b2e-4eef-841e-f1904efe0e37",
   "monitoring": {
     "grafanaAdminGroupPrincipalId": "6b6d3adf-8476-4727-9812-20ffdef2b85c",
     "grafanaName": "arohcp-usw3tst",