AKS template for maestro

[geoberle]

the new template service-template-aro-hcp.yml is a first draft for deploying the maestro server on ARO-HCP. it leverages the pre-provisoned secrets that can be found on such a cluster, like the MQTT secret and CSI secret store configuration to transparently load client certificates from key vault.

this template does not claim to be the final prod ready template. we can use it for now to basic development flow within ARO-HCP and we can evolve it as we go.

part of https://issues.redhat.com/browse/ARO-7234

[geoberle]

/retest

[clyang82]

This is something we need to refactor the maestro server to get the db information from a secret instead of passing them one by one.

[clyang82]

we can do it in the future.

[geoberle]

we will need to adapt to passwordless login anyways in the future.
we can talk about that during the next sync

[markturansky]

this is correct for how RDS creates secrets. the keys are mounted as files and read.

how does passwordless work?

[clyang82]

what is main different with service-template.yml?

[geoberle]

• removed ServiceAccount because that is managed by the cluster provisioning and dressup mechanism (special annotations are placed on SAs during that time)
• usage of secrets-store.csi.k8s.io to access the MQTT client cert and private key from azure key vault
• removal of service.alpha.openshift.io/serving-cert-secret-name: maestro-tls generated secrets since this is not supported on AKS - the targeted solution for in-cluster TLS communication will be istio

[markturansky]

the existing templates are openshift-centric, like this annotation. They will work for us in ROSA HCP.

I made a separate set of AROHCP templates for CS, too, since they are different enough.