Skip to content

Commit

Permalink
ARO-10633 | Add ARM Helper Indentity supporting properties
Browse files Browse the repository at this point in the history 
Signed-off-by: Chetan Giradkar <[email protected]>
  • Loading branch information
@cgiradkar
cgiradkar committed Oct 10, 2024
1 parent bcdc949 commit c9eacba
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 1 deletion.
8 changes: 7 additions & 1 deletion cluster-service/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,11 @@ CONFIG_PROFILE ?= dev
include ../dev-infrastructure/configurations/$(CONFIG_PROFILE).mk

CONSUMER_NAME ?= $(shell az aks list --query "[?tags.clusterType == 'mgmt-cluster' && starts_with(resourceGroup, '$(REGIONAL_RESOURCEGROUP)')].resourceGroup" -o tsv)
KEYVAULT_NAME ?= $(shell az keyvault list --query "[?tags.aroHCPPurpose=='service'].name" -g ${SVC_KV_RESOURCEGROUP} --output tsv)
KEYVAULT_NAME ?= aro-hcp-dev-svc-kv
FPA_CERT_NAME ?= firstPartyCert
AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID ?= "57e54810-3138-4f38-bd3b-29cb33f4c358"
ARM_HELPER_IDENTITY_CLIENT_ID ?= "2c6ca254-36bd-43c8-a7a8-fe880bc2c489"
ARM_HELPER_IDENTITY_CERT_NAME ?= armHelperCert

deploy:
ZONE_RESOURCE_ID=$(shell az network dns zone list -g ${REGIONAL_RESOURCEGROUP} --query "[?zoneType=='Public'].id" -o tsv) && \
Expand Down Expand Up @@ -37,14 +39,18 @@ deploy:
-p IMAGE_REPOSITORY=app-sre/uhc-clusters-service \
-p AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID=$${AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID} \
-p FPA_CERT_NAME=${FPA_CERT_NAME} \
-p ARM_HELPER_IDENTITY_CLIENT_ID=${ARM_HELPER_IDENTITY_CLIENT_ID} \
-p ARM_HELPER_IDENTITY_CERT_NAME=${ARM_HELPER_IDENTITY_CERT_NAME}
-p IMAGE_TAG=b16f630 | oc apply -f -

deploy-integ:
AZURE_CS_MI_CLIENT_ID=$(shell az identity show \
-g ${RESOURCEGROUP} \
-n clusters-service \
--query clientId) && \
ARM_HELPER_IDENTITY_SERVICE_PRINCIPAL_CLIENT_ID=${ARM_HELPER_IDENTITY_CLIENT_ID} && \
oc process --local -f deploy/integration/cluster-service-namespace.yaml \
-p ARM_HELPER_IDENTITY_SERVICE_PRINCIPAL_CLIENT_ID=$${ARM_HELPER_IDENTITY_SERVICE_PRINCIPAL_CLIENT_ID} \
-p CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} | oc apply -f -

# for local development
Expand Down
37 changes: 37 additions & 0 deletions cluster-service/deploy/openshift-templates/arohcp-service-template.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,12 @@ parameters:
value: ""
- name: FPA_CERT_NAME
description: The name of the secret that contains the first party application certificate bundle.
- name: ARM_HELPER_IDENTITY_CLIENT_ID
description: The client id of the service principal that represents the ARM Helper Identity.
value: "57e54810-3138-4f38-bd3b-29cb33f4c358"
- name: ARM_HELPER_IDENTITY_CERT_NAME
description: The name of the secret that contains the ARM Helper Indentity certificate bundle.
value: ""

objects:

Expand All @@ -256,6 +262,26 @@ objects:
usePodIdentity: "false"
provider: azure

- apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: arm-identity
namespace: ${NAMESPACE}
spec:
parameters:
clientID: ${ARM_HELPER_IDENTITY_CLIENT_ID}
cloudName: AzurePublicCloud
keyvaultName: ${SERVICE_KEYVAULT_NAME}
objects: |-
array:
- |
objectName: ${ARM_HELPER_IDENTITY_CERT_NAME}
objectType: secret
objectAlias: armHelperIndentityCertificateBundle
tenantId: ${TENANT_ID}
usePodIdentity: "false"
provider: azure

- apiVersion: v1
kind: ConfigMap
metadata:
Expand Down Expand Up @@ -456,6 +482,12 @@ objects:
- name: azure-credentials
secret:
secretName: azure-credentials
- name: arm-identity
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: arm-identity
- name: keyvault
csi:
driver: secrets-store.csi.k8s.io
Expand Down Expand Up @@ -523,6 +555,9 @@ objects:
readOnly: true
- name: azure-runtime-config
mountPath: /configs/azure-runtime-config
- name: arm-identity
mountPath: "/secrets/arm-identity"
readOnly: true
env:
- name: NAMESPACE
valueFrom:
Expand Down Expand Up @@ -574,6 +609,8 @@ objects:
- --azure-first-party-application-client-id=${AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID}
- --azure-first-party-application-certificate-bundle-path=/secrets/keyvault/firstPartyApplicationCertificateBundle
- --azure-runtime-config-path=/configs/azure-runtime-config/config.json
- --arm-helper-identity-client-id=${ARM_HELPER_IDENTITY_CLIENT_ID}
- --arm-helper-identity-certificate-bundle-path=/secrets/arm-identity/armHelperIndentityCertificateBundlePath
livenessProbe:
httpGet:
path: /api/clusters_mgmt/v1
Expand Down

0 comments on commit c9eacba

Please sign in to comment.