Add tenant-quota collector for opstool environment

Author: trevorwilliams2025

dev-infrastructure/ops-tools/tenant-quota/Dockerfile

@@ -0,0 +1,27 @@
+ARG PLATFORM
+
+# Builder image
+FROM --platform=${PLATFORM} mcr.microsoft.com/oss/go/microsoft/golang:1.24-fips-azurelinux3.0 AS builder
+COPY internal/go.mod internal/go.sum internal/
+COPY dev-infrastructure/ops-tools/tenant-quota/go.mod dev-infrastructure/ops-tools/tenant-quota/go.sum dev-infrastructure/ops-tools/tenant-quota/
+RUN cd dev-infrastructure/ops-tools/tenant-quota && go mod download
+WORKDIR /app
+COPY dev-infrastructure/ops-tools/tenant-quota/ dev-infrastructure/ops-tools/tenant-quota/
+COPY internal/ internal/
+ARG TAG
+# https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#build-option-to-require-fips-mode
+ENV CGO_ENABLED=1 GOFLAGS='-tags=requirefips'
+
+RUN cd dev-infrastructure/ops-tools/tenant-quota && \
+    go build -ldflags="-X github.com/Azure/ARO-HCP/internal/version.CommitSHA=${TAG}" -o tenant-quota-collector .
+
+# Runtime image
+FROM --platform=${PLATFORM} mcr.microsoft.com/azurelinux/distroless/base:3.0
+USER 65532:65532
+WORKDIR /
+COPY --from=builder /app/dev-infrastructure/ops-tools/tenant-quota/tenant-quota-collector .
+ARG REVISION
+LABEL vcs-ref="${REVISION}"
+ENTRYPOINT ["/tenant-quota-collector"]
+
+

dev-infrastructure/ops-tools/tenant-quota/Makefile

@@ -0,0 +1,194 @@
+TENANT_QUOTA_COLLECTOR_DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST))))
+
+-include $(TENANT_QUOTA_COLLECTOR_DIR)/../../../setup-templatize-env.mk
+-include $(TENANT_QUOTA_COLLECTOR_DIR)/../../../.bingo/Variables.mk
+
+ARO_HCP_REVISION = $(shell git rev-parse HEAD)
+ARO_HCP_IMAGE_TAG ?= $(shell DEPLOY_ENV=${DEPLOY_ENV} $(TENANT_QUOTA_COLLECTOR_DIR)/../../../generate-tag.sh)
+ARO_HCP_IMAGE_ACR ?= arohcpsvcdev
+ARO_HCP_IMAGE_REGISTRY ?= ${ARO_HCP_IMAGE_ACR}.azurecr.io
+# Default repository name for tenant-quota (can be overridden via CUSTOM_METRICS_COLLECTOR_IMAGE_REPOSITORY)
+TENANT_QUOTA_COLLECTOR_IMAGE_REPOSITORY ?= tenant-quota-collector
+ARO_HCP_IMAGE_REPOSITORY ?= ${TENANT_QUOTA_COLLECTOR_IMAGE_REPOSITORY}
+TENANT_QUOTA_COLLECTOR_GENERATED_IMAGE_REPOSITORY = $(shell DEPLOY_ENV=${DEPLOY_ENV} BASELINE_REPO=${ARO_HCP_IMAGE_REPOSITORY} $(TENANT_QUOTA_COLLECTOR_DIR)/../../../generate-repo.sh)
+TENANT_QUOTA_COLLECTOR_TAGGED_IMAGE ?= $(ARO_HCP_IMAGE_REGISTRY)/$(TENANT_QUOTA_COLLECTOR_GENERATED_IMAGE_REPOSITORY):$(ARO_HCP_IMAGE_TAG)
+
+ifeq ($(ARO_HCP_IMAGE_REGISTRY:%.azurecr.io=azurecr.io),azurecr.io)
+ARO_HCP_IMAGE_REGISTRY_IS_ACR = 1
+endif
+
+.DEFAULT_GOAL := tenant-quota-collector
+
+tenant-quota-collector:
+	go build -ldflags="-X github.com/Azure/ARO-HCP/internal/version.CommitSHA=${ARO_HCP_IMAGE_TAG}" -o tenant-quota-collector .
+
+run:
+	CONFIG_PATH=./deploy/templates/configmap.yaml ./tenant-quota-collector
+
+clean:
+	rm -f tenant-quota-collector
+
+image: Dockerfile $(shell find . -name '*.go' -o -name 'go.mod' -o -name 'go.sum') Makefile
+	cd $(TENANT_QUOTA_COLLECTOR_DIR)/../../.. && \
+	docker build . --file dev-infrastructure/ops-tools/tenant-quota/Dockerfile \
+	               --build-arg PLATFORM=linux/amd64 \
+	               --build-arg REVISION=${ARO_HCP_REVISION} \
+	               --build-arg TAG=${ARO_HCP_IMAGE_TAG} \
+	               --tag ${TENANT_QUOTA_COLLECTOR_TAGGED_IMAGE}
+.PHONY: image
+
+build-and-push: image $(ORAS)
+	az acr login --name ${ARO_HCP_IMAGE_ACR}
+	docker push ${TENANT_QUOTA_COLLECTOR_TAGGED_IMAGE}
+.PHONY: build-and-push
+
+# Required environment variables for opstool deployment
+# OPSTOOL_RG: Resource group where opstool cluster is deployed (e.g., hcp-underlay-opstool-uksouth-svc)
+# OPSTOOL_SUBSCRIPTION_ID: Subscription ID (opstool subscription)
+# OPSTOOL_CLUSTER_NAME: AKS cluster name (e.g., opstool-uksouth-svc-1)
+# OPSTOOL_KEYVAULT_NAME: Service Key Vault name (e.g., aro-hcp-dev-svc-kv)
+# OPSTOOL_KEYVAULT_RG: Service Key Vault resource group (e.g., global)
+#
+# Optional: OPSTOOL_VALUES_FILE - Path to custom values.yaml file for tenant configuration
+#   If not set, uses default values.yaml with RedHat0 tenant
+#   To add multiple tenants, create a custom values.yaml or use --set flags
+
+# Pipeline targets - use environment variables from pipeline system
+tenant-quota-create-identity:
+	@[ "${OPSTOOL_RG}" ] || ( echo ">> OPSTOOL_RG is not set"; exit 1 )
+	@[ "${OPSTOOL_SUBSCRIPTION_ID}" ] || ( echo ">> OPSTOOL_SUBSCRIPTION_ID is not set"; exit 1 )
+	@echo "Creating tenant-quota-collector managed identity..."
+	@if az identity show --name tenant-quota-collector --resource-group ${OPSTOOL_RG} --subscription ${OPSTOOL_SUBSCRIPTION_ID} >/dev/null 2>&1; then \
+		echo "✅ Identity already exists"; \
+	else \
+		az identity create \
+			--name tenant-quota-collector \
+			--resource-group ${OPSTOOL_RG} \
+			--subscription ${OPSTOOL_SUBSCRIPTION_ID} && \
+		echo "✅ Identity created successfully"; \
+	fi
+.PHONY: tenant-quota-create-identity
+
+tenant-quota-kv-permissions:
+	@[ "${OPSTOOL_RG}" ] || ( echo ">> OPSTOOL_RG is not set"; exit 1 )
+	@[ "${OPSTOOL_SUBSCRIPTION_ID}" ] || ( echo ">> OPSTOOL_SUBSCRIPTION_ID is not set"; exit 1 )
+	@[ "${OPSTOOL_KEYVAULT_NAME}" ] || ( echo ">> OPSTOOL_KEYVAULT_NAME is not set"; exit 1 )
+	@[ "${OPSTOOL_KEYVAULT_RG}" ] || ( echo ">> OPSTOOL_KEYVAULT_RG is not set"; exit 1 )
+	@echo "Granting Key Vault permissions..."
+	@PRINCIPAL_ID=$$(az identity show --name tenant-quota-collector --resource-group ${OPSTOOL_RG} --subscription ${OPSTOOL_SUBSCRIPTION_ID} --query principalId -o tsv); \
+	KV_RESOURCE_ID=$$(az keyvault show --name ${OPSTOOL_KEYVAULT_NAME} --resource-group ${OPSTOOL_KEYVAULT_RG} --subscription ${OPSTOOL_SUBSCRIPTION_ID} --query id -o tsv); \
+	az role assignment create \
+		--role "Key Vault Secrets User" \
+		--assignee $$PRINCIPAL_ID \
+		--scope $$KV_RESOURCE_ID \
+		--only-show-errors >/dev/null 2>&1 || true; \
+	echo "✅ Key Vault permissions granted"
+.PHONY: tenant-quota-kv-permissions
+
+tenant-quota-federate-identity:
+	@[ "${OPSTOOL_RG}" ] || ( echo ">> OPSTOOL_RG is not set"; exit 1 )
+	@[ "${OPSTOOL_SUBSCRIPTION_ID}" ] || ( echo ">> OPSTOOL_SUBSCRIPTION_ID is not set"; exit 1 )
+	@[ "${OPSTOOL_CLUSTER_NAME}" ] || ( echo ">> OPSTOOL_CLUSTER_NAME is not set"; exit 1 )
+	@echo "Creating federated identity credential..."
+	@KUBECONFIG=$$(mktemp); \
+	az aks get-credentials --name ${OPSTOOL_CLUSTER_NAME} --resource-group ${OPSTOOL_RG} --subscription ${OPSTOOL_SUBSCRIPTION_ID} --file $$KUBECONFIG --overwrite-existing >/dev/null 2>&1; \
+	kubelogin convert-kubeconfig -l azurecli --kubeconfig $$KUBECONFIG >/dev/null 2>&1; \
+	ISSUER_URL=$$(kubectl get --raw /.well-known/openid-configuration --kubeconfig $$KUBECONFIG | grep -o '"issuer":"[^"]*' | cut -d'"' -f4); \
+	if [ -z "$$ISSUER_URL" ]; then \
+		echo "ERROR: Failed to fetch OIDC issuer URL from cluster"; \
+		rm -f $$KUBECONFIG; \
+		exit 1; \
+	fi; \
+	SUBJECT="system:serviceaccount:tenant-quota:tenant-quota-collector"; \
+	if az identity federated-credential show \
+		--name tenant-quota-collector-fedcred \
+		--identity-name tenant-quota-collector \
+		--resource-group ${OPSTOOL_RG} \
+		--subscription ${OPSTOOL_SUBSCRIPTION_ID} >/dev/null 2>&1; then \
+		echo "✅ Federated credential already exists"; \
+	else \
+		az identity federated-credential create \
+			--name tenant-quota-collector-fedcred \
+			--identity-name tenant-quota-collector \
+			--resource-group ${OPSTOOL_RG} \
+			--subscription ${OPSTOOL_SUBSCRIPTION_ID} \
+			--issuer "$$ISSUER_URL" \
+			--subject "$$SUBJECT" \
+			--audience "api://AzureADTokenExchange" && \
+		echo "✅ Federated credential created"; \
+	fi; \
+	rm -f $$KUBECONFIG
+.PHONY: tenant-quota-federate-identity
+
+tenant-quota-deploy-helm: build-and-push
+	@[ "${OPSTOOL_RG}" ] || ( echo ">> OPSTOOL_RG is not set"; exit 1 )
+	@[ "${OPSTOOL_SUBSCRIPTION_ID}" ] || ( echo ">> OPSTOOL_SUBSCRIPTION_ID is not set"; exit 1 )
+	@[ "${OPSTOOL_CLUSTER_NAME}" ] || ( echo ">> OPSTOOL_CLUSTER_NAME is not set"; exit 1 )
+	@[ "${OPSTOOL_KEYVAULT_NAME}" ] || ( echo ">> OPSTOOL_KEYVAULT_NAME is not set"; exit 1 )
+	@echo "Deploying tenant-quota-collector..."
+	@CLIENT_ID=$$(az identity show --name tenant-quota-collector --resource-group ${OPSTOOL_RG} --subscription ${OPSTOOL_SUBSCRIPTION_ID} --query clientId -o tsv); \
+	TENANT_ID=$$(az account show --subscription ${OPSTOOL_SUBSCRIPTION_ID} --query tenantId -o tsv); \
+	echo "✅ Using image: ${TENANT_QUOTA_COLLECTOR_TAGGED_IMAGE}"; \
+	KUBECONFIG=$$(mktemp); \
+	az aks get-credentials --name ${OPSTOOL_CLUSTER_NAME} --resource-group ${OPSTOOL_RG} --subscription ${OPSTOOL_SUBSCRIPTION_ID} --file $$KUBECONFIG --overwrite-existing >/dev/null 2>&1; \
+	kubelogin convert-kubeconfig -l azurecli --kubeconfig $$KUBECONFIG >/dev/null 2>&1; \
+	if [ -n "${OPSTOOL_VALUES_FILE}" ]; then \
+		echo "Using custom values file: ${OPSTOOL_VALUES_FILE}"; \
+		helm upgrade --install tenant-quota $(TENANT_QUOTA_COLLECTOR_DIR)/deploy \
+			--namespace tenant-quota \
+			--create-namespace \
+			--kubeconfig $$KUBECONFIG \
+			--values ${OPSTOOL_VALUES_FILE} \
+			--set imageRegistry=arohcpsvcdev.azurecr.io \
+			--set imageRepository=${TENANT_QUOTA_COLLECTOR_GENERATED_IMAGE_REPOSITORY} \
+			--set imageTag=${ARO_HCP_IMAGE_TAG} \
+			--set msiClientId=$$CLIENT_ID \
+			--set msiTenantId=$$TENANT_ID \
+			--set secretProvider.keyVault=${OPSTOOL_KEYVAULT_NAME} \
+			--set secretProvider.msiClientId=$$CLIENT_ID \
+			--wait; \
+	else \
+		echo "Using default values.yaml (RedHat0 tenant)"; \
+		helm upgrade --install tenant-quota $(TENANT_QUOTA_COLLECTOR_DIR)/deploy \
+			--namespace tenant-quota \
+			--create-namespace \
+			--kubeconfig $$KUBECONFIG \
+			--set imageRegistry=arohcpsvcdev.azurecr.io \
+			--set imageRepository=${TENANT_QUOTA_COLLECTOR_GENERATED_IMAGE_REPOSITORY} \
+			--set imageTag=${ARO_HCP_IMAGE_TAG} \
+			--set msiClientId=$$CLIENT_ID \
+			--set msiTenantId=$$TENANT_ID \
+			--set secretProvider.keyVault=${OPSTOOL_KEYVAULT_NAME} \
+			--set secretProvider.msiClientId=$$CLIENT_ID \
+			--set tenants[0].tenantId=64dc69e4-d083-49fc-9569-ebece1dd1408 \
+			--set tenants[0].tenantName=RedHat0 \
+			--set tenants[0].servicePrincipalClientId=1ef710d1-afd7-4bf3-8095-e8126650607f \
+			--set tenants[0].keyVaultSecretName=custom-metrics-collector-redhat0-client-secret \
+			--wait; \
+	fi; \
+	rm -f $$KUBECONFIG; \
+	echo "✅ Deployment complete!"
+	@echo ""
+	@echo "📝 Note: To add additional tenants, create a custom values.yaml file"
+	@echo "   with all tenant configurations and set OPSTOOL_VALUES_FILE=<path>"
+	@echo "   See DEPLOY.md for detailed instructions."
+.PHONY: opstool-deploy
+
+# Environment variables are provided by the pipeline system from config.yaml
+tenant-quota-deploy: tenant-quota-create-identity tenant-quota-federate-identity tenant-quota-kv-permissions tenant-quota-deploy-helm
+	@echo "✅ Tenant quota collector deployment complete!"
+	@echo ""
+	@echo "⚠️  IMPORTANT: Ensure service principal secrets exist in Key Vault before deployment!"
+	@echo "   If secrets don't exist, the pod will fail to authenticate."
+.PHONY: tenant-quota-deploy
+
+# Manual deployment target - requires environment variables to be set manually
+opstool-deploy: tenant-quota-create-identity tenant-quota-federate-identity tenant-quota-kv-permissions tenant-quota-deploy-helm
+	@echo "✅ Opstool deployment complete!"
+	@echo ""
+	@echo "⚠️  IMPORTANT: Ensure service principal secrets exist in Key Vault before deployment!"
+	@echo "   If secrets don't exist, the pod will fail to authenticate."
+	@echo "   Use the existing script to store secrets:"
+	@echo "   ../../scripts/kv-add-secret.sh <kv-name> <rg> <secret-name> <secret-value>"
+	@echo "   Example: ../../scripts/kv-add-secret.sh aro-hcp-dev-svc-kv global custom-metrics-collector-redhat0-client-secret \"<sp-client-secret>\""
+.PHONY: opstool-deploy

dev-infrastructure/ops-tools/tenant-quota/deploy/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: tenant-quota-collector
+version: 0.1.0
+appVersion: 0.1.0
+kubeVersion: ">=1.27.0"
+description: Tenant Quota Collector - collects Azure AD tenant quota metrics from Microsoft Graph API.

dev-infrastructure/ops-tools/tenant-quota/deploy/templates/configmap.yaml

@@ -0,0 +1,27 @@
+# Purpose: Tenant configuration - defines which tenants to collect quota from and their service principal credentials
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tenant-quota-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+    # Tenant Quota Collector Configuration
+    # This collector runs in the opstool environment and collects quota from configured tenants.
+    #
+    # Configuration is synced from Helm values. To add a new tenant:
+    # 1. Create a service principal in that tenant with Microsoft Graph API permissions
+    # 2. Store the service principal secret in the dev Key Vault (aro-hcp-dev-svc-kv)
+    # 3. Update the Helm values (values.yaml or --set) to include the new tenant
+    # 4. Redeploy: helm upgrade tenant-quota ./deploy --namespace tenant-quota [--set ...]
+    #
+    interval: "5m"
+    timeout: "30s"
+    tenants:
+      {{- range .Values.tenants }}
+      - tenantId: "{{ .tenantId }}"
+        tenantName: "{{ .tenantName }}"
+        servicePrincipalClientId: "{{ .servicePrincipalClientId }}"
+        keyVaultSecretName: "{{ .keyVaultSecretName }}"
+        scope: "https://graph.microsoft.com/.default"
+      {{- end }}

dev-infrastructure/ops-tools/tenant-quota/deploy/templates/deployment.yaml

@@ -0,0 +1,74 @@
+# Purpose: Main workload - deploys the tenant-quota-collector pod that collects quota metrics from configured tenants
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tenant-quota-collector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: tenant-quota-collector
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: tenant-quota-collector
+  template:
+    metadata:
+      labels:
+        app: tenant-quota-collector
+      annotations:
+        azure.workload.identity/use: "true"
+    spec:
+      serviceAccountName: tenant-quota-collector
+      containers:
+      - name: tenant-quota-collector
+        image: '{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}{{ if .Values.imageDigest }}@{{ .Values.imageDigest }}{{ else if .Values.imageTag }}:{{ .Values.imageTag }}{{ end }}'
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 8080
+          name: metrics
+        env:
+        - name: CONFIG_PATH
+          value: "/etc/config/config.yaml"
+        - name: PORT
+          value: "8080"
+        - name: LOG_LEVEL
+          value: "info"
+        - name: AZURE_CLIENT_ID
+          value: "{{ .Values.msiClientId }}"
+        - name: AZURE_TENANT_ID
+          value: "{{ .Values.msiTenantId }}"
+        volumeMounts:
+        - name: config
+          mountPath: /etc/config
+        - name: secrets-store
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "256Mi"
+            cpu: "200m"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 10
+      volumes:
+      - name: config
+        configMap:
+          name: tenant-quota-config
+      - name: secrets-store
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: tenant-quota-collector-secretprovider

dev-infrastructure/ops-tools/tenant-quota/deploy/templates/probe.yaml

@@ -0,0 +1,17 @@
+# Purpose: Health check probes - configures Prometheus blackbox exporter to probe the /healthz endpoint
+apiVersion: monitoring.coreos.com/v1
+kind: Probe
+metadata:
+  name: tenant-quota-collector-probe
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: arohcp-monitor
+spec:
+  jobName: tenant-quota-collector-health
+  prober:
+    url: blackbox-exporter:9115
+    path: /probe
+  module: http_2xx
+  targets:
+    staticConfig:
+      static: ['tenant-quota-collector:8080/healthz']

dev-infrastructure/ops-tools/tenant-quota/deploy/templates/prometheusrule.yaml

@@ -0,0 +1,36 @@
+# Purpose: Alerting rules - defines Prometheus alert rules for tenant quota usage thresholds (80%, 90%, 95%)
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: tenant-quota-alerts
+  namespace: {{ .Release.Namespace }}
+  labels:
+    release: arohcp-monitor
+spec:
+  groups:
+  - name: tenant-quota
+    rules:
+    - alert: TenantQuotaCritical
+      expr: tenant_quota_usage_percentage >= 95
+      for: 5m
+      labels:
+        severity: critical
+      annotations:
+        summary: "Tenant quota usage is critical"
+        description: 'Tenant {{ print "{{" }} $labels.tenant_name {{ print "}}" }} is at {{ print "{{" }} $value {{ print "}}" }}% capacity'
+    - alert: TenantQuotaWarning
+      expr: tenant_quota_usage_percentage >= 90
+      for: 10m
+      labels:
+        severity: warning
+      annotations:
+        summary: "Tenant quota usage is high"
+        description: 'Tenant {{ print "{{" }} $labels.tenant_name {{ print "}}" }} is at {{ print "{{" }} $value {{ print "}}" }}% capacity'
+    - alert: TenantQuotaInfo
+      expr: tenant_quota_usage_percentage >= 80
+      for: 15m
+      labels:
+        severity: info
+      annotations:
+        summary: "Tenant quota usage is elevated"
+        description: 'Tenant {{ print "{{" }} $labels.tenant_name {{ print "}}" }} is at {{ print "{{" }} $value {{ print "}}" }}% capacity'