MSFT STG SVC rollout (#1535)

geoberle · web-flow · commit 7994231852d0 · 2025-03-24T18:29:45.000+01:00
* humand readable aks names

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

* create certificate for fpa

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

* release approver

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

* fix prod ip service tags

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

* deactivate stage ip addr tags until they are activated

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

* use onecert private for frontend cert until we have approval for public in stg

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

* lint

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;

---------

Signed-off-by: Gerd Oberlechner &lt;goberlec@redhat.com&gt;
diff --git a/cluster-service/pipeline.yaml b/cluster-service/pipeline.yaml
@@ -35,7 +35,7 @@ resourceGroups:
     - name: AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID
       configRef: firstPartyAppClientId
     - name: FPA_CERT_NAME
-      configRef: firstPartyAppCertName
+      configRef: firstPartyAppCertificate.name
     - name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_PRINCIPAL_ID
       configRef: miMockPrincipalId
     - name: AZURE_MI_MOCK_SERVICE_PRINCIPAL_CLIENT_ID
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
@@ -22,7 +22,9 @@ defaults:
   #
   # All defaults mentioned in this section need to be environment and region agnostic.
   #
-
+  releaseApprover:
+    id: feca6a27-8f05-4abe-b9e4-e1185f5833ab
+    name: TM-AzureRedHatOpenShift-HCP-Leads
   # The long Azure region name
   region: "{{ .ctx.region  }}"
   regionRG: "{{ .ctx.region }}-shared-resources"
@@ -63,12 +65,16 @@ defaults:
       repository: acm-d/rhtap-hypershift-operator
   # OIDC
   oidcZoneRedundantMode: Auto
+  # FPA certificate settings
+  firstPartyAppCertificate:
+    issuer: OneCertV2-PrivateCA
+    manage: true
   # SVC cluster specifics
   svc:
     subscription: "hcp-{{ .ctx.region }}"
     rg: "hcp-underlay-{{ .ctx.region }}-svc"
     aks:
-      name: "{{ .ctx.regionShort }}-svc" # [env-unique]
+      name: "{{ .ctx.region }}-svc-1" # [env-unique]
       vnetAddressPrefix: "10.128.0.0/14"
       subnetPrefix: "10.128.8.0/21"
       podSubnetPrefix: "10.128.64.0/18"
@@ -81,22 +87,24 @@ defaults:
         osDiskSizeGB: 32
       etcd:
         kvSoftDelete: true
-      clusterOutboundIPAddressIPTags: "FirstPartyUsage:arohcpprodoutboundsvc"
+      #clusterOutboundIPAddressIPTags: "FirstPartyUsage:aro-hcp-prod-outbound-svc"
+      clusterOutboundIPAddressIPTags: ""
     istio:
       istioctlVersion: "1.24.1"
       tag: "prod-stable"
       targetVersion: "asm-1-23"
       versions: "asm-1-23"
       ingressGatewayIPAddressName: "aro-hcp-istio-ingress"
-      ingressGatewayIPAddressIPTags: "FirstPartyUsage:arohcpprodinboundsvc"
+      #ingressGatewayIPAddressIPTags: "FirstPartyUsage:aro-hcp-prod-inbound-svc"
+      ingressGatewayIPAddressIPTags: ""
     logs:
       namespace: HCPServiceLogs
   # MGMT cluster specifics
   mgmt:
     subscription: "hcp-{{ .ctx.region }}"
     rg: "hcp-underlay-{{ .ctx.region }}-mgmt-{{ .ctx.stamp }}"
     aks:
-      name: "{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}" # [env-unique]
+      name: "{{ .ctx.region }}-mgmt-{{ .ctx.stamp }}" # [env-unique]
       vnetAddressPrefix: "10.128.0.0/14"
       subnetPrefix: "10.128.8.0/21"
       podSubnetPrefix: "10.128.64.0/18"
@@ -109,7 +117,8 @@ defaults:
         osDiskSizeGB: 128
       etcd:
         kvSoftDelete: true
-      clusterOutboundIPAddressIPTags: "FirstPartyUsage:arohcpprodoutboundcx"
+      #clusterOutboundIPAddressIPTags: "FirstPartyUsage:aro-hcp-prod-outbound-cx"
+      clusterOutboundIPAddressIPTags: ""
     applyKubeletFixes: true
     logs:
       namespace: HCPManagementLogs
@@ -377,7 +386,9 @@ clouds:
               digest: sha256:223f332a11d336b49243d886217a76809142b30f9ab8ef27bec80a4458b3c3a5
           # 1P app - from RH Tenant
           firstPartyAppClientId: b3cb2fab-15cb-4583-ad06-f91da9bfe2d1
-          firstPartyAppCertName: firstPartyCert2
+          firstPartyAppCertificate:
+            name: firstPartyCert2
+            manage: false # we have the cert from RH for int
           # Mock Managed Identities Service Princiapl - from RH Tenant
           miMockClientId: e8723db7-9b9e-46a4-9f7d-64d75c3534f0
           miMockPrincipalId: d6b62dfa-87f5-49b3-bbcb-4a687c4faa96
@@ -487,6 +498,8 @@ clouds:
               private: false
             image:
               digest: sha256:343bb768e38a829f13c4893e381c83fa602944809509b64e841f317ec2bf539b
+            cert:
+              issuer: OneCertV2-PrivateCA # let's use private until we have approval for public
           # RP Backend
           backend:
             image:
@@ -505,7 +518,8 @@ clouds:
               digest: sha256:223f332a11d336b49243d886217a76809142b30f9ab8ef27bec80a4458b3c3a5
           # 1P app - from RH Tenant
           firstPartyAppClientId: "7f4a113a-c61d-412a-bea1-85dee5baf4a8"
-          firstPartyAppCertName: firstPartyCert
+          firstPartyAppCertificate:
+            name: tmp-rp-firstparty
           # Grafana
           monitoring:
             grafanaName: 'arohcp-stg'
diff --git a/config/config.schema.json b/config/config.schema.json
@@ -383,8 +383,25 @@
     "firstPartyAppClientId": {
       "type": "string"
     },
-    "firstPartyAppCertName": {
-      "type": "string"
+    "firstPartyAppCertificate": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "issuer": {
+          "$ref": "#/definitions/certificateIssuer"
+        },
+        "manage": {
+          "type": "boolean"
+        }
+      },
+      "additionalProperties": false,
+      "required": [
+        "name",
+        "issuer",
+        "manage"
+      ]
     },
     "miMockClientId": {
       "type": "string"
@@ -1121,6 +1138,22 @@
         "svc",
         "ocp"
       ]
+    },
+    "releaseApprover": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "id": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "required": [
+        "name",
+        "id"
+      ]
     }
   },
   "additionalProperties": false,
@@ -1130,7 +1163,7 @@
     "clusterService",
     "cxKeyVault",
     "firstPartyAppClientId",
-    "firstPartyAppCertName",
+    "firstPartyAppCertificate",
     "frontend",
     "genevaActions",
     "global",
diff --git a/config/config.yaml b/config/config.yaml
@@ -206,7 +206,10 @@ clouds:
         parentZoneName: osadev.cloud
       # 1P app
       firstPartyAppClientId: b3cb2fab-15cb-4583-ad06-f91da9bfe2d1
-      firstPartyAppCertName: firstPartyCert2
+      firstPartyAppCertificate:
+        name: firstPartyCert2
+        issuer: Self
+        manage: false
       # Mock Managed Identities Service Princiapl
       miMockClientId: e8723db7-9b9e-46a4-9f7d-64d75c3534f0
       miMockPrincipalId: d6b62dfa-87f5-49b3-bbcb-4a687c4faa96
diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -88,7 +88,11 @@
     "svcParentZoneName": "hcpsvc.osadev.cloud"
   },
   "extraVars": {},
-  "firstPartyAppCertName": "firstPartyCert2",
+  "firstPartyAppCertificate": {
+    "issuer": "Self",
+    "manage": false,
+    "name": "firstPartyCert2"
+  },
   "firstPartyAppClientId": "b3cb2fab-15cb-4583-ad06-f91da9bfe2d1",
   "frontend": {
     "cert": {
diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -88,7 +88,11 @@
     "svcParentZoneName": "hcpsvc.osadev.cloud"
   },
   "extraVars": {},
-  "firstPartyAppCertName": "firstPartyCert2",
+  "firstPartyAppCertificate": {
+    "issuer": "Self",
+    "manage": false,
+    "name": "firstPartyCert2"
+  },
   "firstPartyAppClientId": "b3cb2fab-15cb-4583-ad06-f91da9bfe2d1",
   "frontend": {
     "cert": {
diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
@@ -88,7 +88,11 @@
     "svcParentZoneName": "aro-hcp.azure-test.net"
   },
   "extraVars": {},
-  "firstPartyAppCertName": "firstPartyCert2",
+  "firstPartyAppCertificate": {
+    "issuer": "OneCertV2-PrivateCA",
+    "manage": false,
+    "name": "firstPartyCert2"
+  },
   "firstPartyAppClientId": "b3cb2fab-15cb-4583-ad06-f91da9bfe2d1",
   "frontend": {
     "cert": {
@@ -229,7 +233,7 @@
         "kvSoftDelete": true
       },
       "kubernetesVersion": "1.31.5",
-      "name": "usw3-mgmt-1",
+      "name": "westus3-mgmt-1",
       "podSubnetPrefix": "10.128.64.0/18",
       "subnetPrefix": "10.128.8.0/21",
       "systemAgentPool": {
@@ -291,6 +295,10 @@
   "oidcZoneRedundantMode": "Auto",
   "region": "westus3",
   "regionRG": "westus3-shared-resources",
+  "releaseApprover": {
+    "id": "feca6a27-8f05-4abe-b9e4-e1185f5833ab",
+    "name": "TM-AzureRedHatOpenShift-HCP-Leads"
+  },
   "serviceKeyVault": {
     "name": "arohcpint-svc-usw3",
     "private": false,
@@ -306,7 +314,7 @@
         "kvSoftDelete": true
       },
       "kubernetesVersion": "1.31.5",
-      "name": "usw3-svc",
+      "name": "westus3-svc-1",
       "podSubnetPrefix": "10.128.64.0/18",
       "subnetPrefix": "10.128.8.0/21",
       "systemAgentPool": {
diff --git a/config/public-cloud-msft-stg.json b/config/public-cloud-msft-stg.json
@@ -88,11 +88,15 @@
     "svcParentZoneName": "aro-hcp.azure.com"
   },
   "extraVars": {},
-  "firstPartyAppCertName": "firstPartyCert",
+  "firstPartyAppCertificate": {
+    "issuer": "OneCertV2-PrivateCA",
+    "manage": true,
+    "name": "tmp-rp-firstparty"
+  },
   "firstPartyAppClientId": "7f4a113a-c61d-412a-bea1-85dee5baf4a8",
   "frontend": {
     "cert": {
-      "issuer": "OneCertV2-PublicCA",
+      "issuer": "OneCertV2-PrivateCA",
       "name": "frontend-cert"
     },
     "cosmosDB": {
@@ -221,13 +225,13 @@
   },
   "mgmt": {
     "aks": {
-      "clusterOutboundIPAddressIPTags": "FirstPartyUsage:arohcpprodoutboundcx",
+      "clusterOutboundIPAddressIPTags": "",
       "etcd": {
         "kvName": "arohcpstg-etcd-usw3-1",
         "kvSoftDelete": true
       },
       "kubernetesVersion": "1.31.5",
-      "name": "usw3-mgmt-1",
+      "name": "westus3-mgmt-1",
       "podSubnetPrefix": "10.128.64.0/18",
       "subnetPrefix": "10.128.8.0/21",
       "systemAgentPool": {
@@ -289,6 +293,10 @@
   "oidcZoneRedundantMode": "Auto",
   "region": "westus3",
   "regionRG": "westus3-shared-resources",
+  "releaseApprover": {
+    "id": "feca6a27-8f05-4abe-b9e4-e1185f5833ab",
+    "name": "TM-AzureRedHatOpenShift-HCP-Leads"
+  },
   "serviceKeyVault": {
     "name": "arohcpstg-svc-usw3",
     "private": false,
@@ -298,13 +306,13 @@
   },
   "svc": {
     "aks": {
-      "clusterOutboundIPAddressIPTags": "FirstPartyUsage:arohcpprodoutboundsvc",
+      "clusterOutboundIPAddressIPTags": "",
       "etcd": {
         "kvName": "arohcpstg-etcd-usw3",
         "kvSoftDelete": true
       },
       "kubernetesVersion": "1.31.5",
-      "name": "usw3-svc",
+      "name": "westus3-svc-1",
       "podSubnetPrefix": "10.128.64.0/18",
       "subnetPrefix": "10.128.8.0/21",
       "systemAgentPool": {
@@ -323,7 +331,7 @@
       "vnetAddressPrefix": "10.128.0.0/14"
     },
     "istio": {
-      "ingressGatewayIPAddressIPTags": "FirstPartyUsage:arohcpprodinboundsvc",
+      "ingressGatewayIPAddressIPTags": "",
       "ingressGatewayIPAddressName": "aro-hcp-istio-ingress",
       "istioctlVersion": "1.24.1",
       "tag": "prod-stable",
diff --git a/config/public-cloud-nightly.json b/config/public-cloud-nightly.json
@@ -88,7 +88,11 @@
     "svcParentZoneName": "hcpsvc.osadev.cloud"
   },
   "extraVars": {},
-  "firstPartyAppCertName": "firstPartyCert2",
+  "firstPartyAppCertificate": {
+    "issuer": "Self",
+    "manage": false,
+    "name": "firstPartyCert2"
+  },
   "firstPartyAppClientId": "b3cb2fab-15cb-4583-ad06-f91da9bfe2d1",
   "frontend": {
     "cert": {
diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -88,7 +88,11 @@
     "svcParentZoneName": "hcpsvc.osadev.cloud"
   },
   "extraVars": {},
-  "firstPartyAppCertName": "firstPartyCert2",
+  "firstPartyAppCertificate": {
+    "issuer": "Self",
+    "manage": false,
+    "name": "firstPartyCert2"
+  },
   "firstPartyAppClientId": "b3cb2fab-15cb-4583-ad06-f91da9bfe2d1",
   "frontend": {
     "cert": {
diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam
@@ -67,6 +67,7 @@ param oidcZoneRedundantMode = '{{ .oidcZoneRedundantMode }}'
 
 param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
 
+param svcDNSZoneName = '{{ .dns.svcParentZoneName }}'
 param regionalCXDNSZoneName = '{{ .dns.regionalSubdomain }}.{{ .dns.cxParentZoneName }}'
 param regionalSvcDNSZoneName = '{{ .dns.regionalSubdomain }}.{{ .dns.svcParentZoneName }}'
 
@@ -76,6 +77,10 @@ param frontendIngressCertName = '{{ .frontend.cert.name }}'
 param frontendIngressCertIssuer = '{{ .frontend.cert.issuer }}'
 param genevaActionsServiceTag = '{{ .genevaActions.serviceTag }}'
 
+param fpaCertificateName = '{{ .firstPartyAppCertificate.name }}'
+param fpaCertificateIssuer = '{{ .firstPartyAppCertificate.issuer }}'
+param manageFpaCertificate = {{ .firstPartyAppCertificate.manage }}
+
 // Azure Monitor Workspace
 param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__'
 
diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
