From f28302dd3b8fb4d20633d4466e0984bad0bb1829 Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Mon, 28 Oct 2024 13:15:06 +0100 Subject: [PATCH] infra deploy pipeline Signed-off-by: Gerd Oberlechner --- .github/workflows/aro-hcp-dev-env-cd.yml | 774 ++++++++--------- .github/workflows/cs-integration-env-cd.yml | 776 +++++++++--------- Makefile | 3 + config/config.yaml | 2 +- dev-infrastructure/.gitignore | 1 + dev-infrastructure/Makefile | 17 +- .../dev-role-assignments.tmpl.bicepparam | 8 + ...nments.bicep => dev-roleassignments.bicep} | 12 +- 8 files changed, 756 insertions(+), 837 deletions(-) create mode 100644 dev-infrastructure/configurations/dev-role-assignments.tmpl.bicepparam rename dev-infrastructure/templates/{dev-aks-roleassignments.bicep => dev-roleassignments.bicep} (87%) diff --git a/.github/workflows/aro-hcp-dev-env-cd.yml b/.github/workflows/aro-hcp-dev-env-cd.yml index 99d0a74db..acd85ea84 100644 --- a/.github/workflows/aro-hcp-dev-env-cd.yml +++ b/.github/workflows/aro-hcp-dev-env-cd.yml @@ -1,13 +1,8 @@ --- name: ARO HCP Dev Environment Continuous Deployment env: - REGION: westus3 - REGIONAL_RESOURCEGROUP: aro-hcp-dev-westus3 - SC_RESOURCEGROUP: aro-hcp-dev-westus3-sc - MC_RESOURCEGROUP: aro-hcp-dev-westus3-mc-1 - GLOBAL_RESOURCEGROUP: global - IMAGE_SYNC_RESOURCEGROUP: aro-hcp-dev-image-sync - ARO_HCP_IMAGE_ACR: arohcpdev + DEPLOY_ENV: dev + SKIP_CONFIRM: true on: workflow_dispatch: pull_request: @@ -28,6 +23,8 @@ - 'hypershiftoperator/**' - 'image-sync/**/' - 'tooling/image-sync/**' + - 'tooling/templatize/**' + - 'config/*' types: - opened - synchronize @@ -48,7 +45,7 @@ run: core.setFailed('Expected source repository to be Azure/ARO-HCP, re-create PR as a branch of Azure/ARO-HCP') deploy_global_rg: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + #if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' permissions: id-token: 'write' contents: 'read' @@ -65,37 +62,18 @@ tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: 'Deploy' - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - cd dev-infrastructure/ - - # ACR - az deployment group create \ - --name "dev-acr-${GITHUB_RUN_ID}" \ - --resource-group ${GLOBAL_RESOURCEGROUP} \ - --template-file templates/dev-acr.bicep \ - --parameters configurations/mvp-dev-acr.bicepparam - - # OCP ACR - az deployment group create \ - --name "dev-ocp-acr-${GITHUB_RUN_ID}" \ - --resource-group ${GLOBAL_RESOURCEGROUP} \ - --template-file templates/dev-acr.bicep \ - --parameters configurations/mvp-dev-ocp-acr.bicepparam + - name: Install Azure CLI + uses: ./.github/actions/install-azure-cli - # SVC ACR - az deployment group create \ - --name "dev-svc-acr-${GITHUB_RUN_ID}" \ - --resource-group ${GLOBAL_RESOURCEGROUP} \ - --template-file templates/dev-acr.bicep \ - --parameters configurations/mvp-dev-svc-acr.bicepparam + - name: 'Deploy' + run: | + cd dev-infrastructure/ + # Manage ACR + make acr acr-svc acr-ocp deploy_image_sync_rg: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + #if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' permissions: id-token: 'write' contents: 'read' @@ -112,24 +90,19 @@ tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Install Azure CLI + uses: ./.github/actions/install-azure-cli + - name: 'Deploy' uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 with: azcliversion: 2.63.0 inlineScript: | cd dev-infrastructure/ - - az group create -g "${IMAGE_SYNC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - az deployment group create \ - --name "image-sync" \ - --resource-group ${IMAGE_SYNC_RESOURCEGROUP} \ - --template-file templates/image-sync.bicep \ - --parameters \ - configurations/mvp-image-sync.bicepparam + make imagesync deploy_region_rg: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + #if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' permissions: id-token: 'write' contents: 'read' @@ -146,31 +119,16 @@ tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Install Azure CLI + uses: ./.github/actions/install-azure-cli + - name: 'Deploy' uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 with: azcliversion: 2.63.0 inlineScript: | cd dev-infrastructure/ - - az group create -g "${REGIONAL_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - # region infra - az deployment group create \ - --name "region-${GITHUB_RUN_ID}" \ - --resource-group "${REGIONAL_RESOURCEGROUP}" \ - --template-file templates/region.bicep \ - --parameters configurations/mvp-region.bicepparam \ - --parameters currentUserId="${GITHUB_ACTOR}" \ - --parameters regionalDNSSubdomain="${REGION}" - - # metrics infrastructure - az deployment group create \ - --name "metrics-infra-${GITHUB_RUN_ID}" \ - --resource-group "${REGIONAL_RESOURCEGROUP}" \ - --template-file modules/metrics/metrics.bicep \ - --parameters configurations/mvp-metrics.bicepparam \ - --parameters globalResourceGroup="${REGIONAL_RESOURCEGROUP}" + make region metrics-infra deploy_service_cluster_rg: if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' @@ -192,50 +150,19 @@ tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Install Azure CLI + uses: ./.github/actions/install-azure-cli + - name: 'Deploy' uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 with: azcliversion: 2.63.0 inlineScript: | cd dev-infrastructure/ + make svc svc.aks.admin-access svc.enable-aks-metrics - az group create -g "${SC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - # service cluster - az deployment group create \ - --name "svc-cluster-${GITHUB_RUN_ID}" \ - --resource-group "${SC_RESOURCEGROUP}" \ - --template-file templates/svc-cluster.bicep \ - --parameters configurations/mvp-svc-cluster.bicepparam \ - --parameters currentUserId="${GITHUB_ACTOR}" \ - --parameters regionalResourceGroup="${REGIONAL_RESOURCEGROUP}" - - SVC_CLUSTER_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.aksClusterName.value) - COSMOS_DB_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.cosmosDBName.value) - SVC_KV_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.svcKeyVaultName.value) - - # service cluster role assignments - az deployment group create \ - --name "svc-roleassigns-${GITHUB_RUN_ID}" \ - --resource-group "${SC_RESOURCEGROUP}" \ - --template-file templates/dev-aks-roleassignments.bicep \ - --parameters aksClusterName=${SVC_CLUSTER_NAME} \ - --parameters cosmosDBName=${COSMOS_DB_NAME} \ - --parameters grantCosmosAccess=true \ - --parameters sharedKvNames="['${SVC_KV_NAME}']" \ - --parameters sharedKvResourceGroup="${GLOBAL_RESOURCEGROUP}" \ - --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} - - # enable aks metrics - AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) - GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) - - az aks update \ - --name "${SVC_CLUSTER_NAME}" \ - --enable-azure-monitor-metrics \ - --resource-group "${SC_RESOURCEGROUP}" \ - --azure-monitor-workspace-resource-id "${AZ_MONITOR_RESOURCE_ID}" \ - --grafana-resource-id "${GRAFANA_RESOURCE_ID}" + # grant GH action user access to resources + PRINCIPAL_ID=${{ secrets.GHA_PRINCIPAL_ID }} make dev-role-assignments deploy_management_cluster_rg: if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' @@ -257,346 +184,317 @@ tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Install Azure CLI + uses: ./.github/actions/install-azure-cli + - name: 'Deploy or Update' uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 with: azcliversion: 2.63.0 inlineScript: | cd dev-infrastructure/ - - az group create -g "${MC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - # management cluster - az deployment group create \ - --name "mgmt-cluster-${GITHUB_RUN_ID}" \ - --resource-group "${MC_RESOURCEGROUP}" \ - --template-file templates/mgmt-cluster.bicep \ - --parameters configurations/mvp-mgmt-cluster.bicepparam \ - --parameters currentUserId="${GITHUB_ACTOR}" \ - --parameters regionalResourceGroup="${REGIONAL_RESOURCEGROUP}" - - MGMT_CLUSTER_NAME=$(az deployment group show --resource-group "${MC_RESOURCEGROUP}" --name "mgmt-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.aksClusterName.value) - - # management cluster role assignments - az deployment group create \ - --name "mgmt-roleassigns-${GITHUB_RUN_ID}" \ - --resource-group "${MC_RESOURCEGROUP}" \ - --template-file templates/dev-aks-roleassignments.bicep \ - --parameters aksClusterName=${MGMT_CLUSTER_NAME} \ - --parameters grantCosmosAccess=false \ - --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} - - # enable aks metrics - AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) - GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) - - az aks update \ - --name "${MGMT_CLUSTER_NAME}" \ - --enable-azure-monitor-metrics \ - --resource-group "${MC_RESOURCEGROUP}" \ - --azure-monitor-workspace-resource-id "${AZ_MONITOR_RESOURCE_ID}" \ - --grafana-resource-id "${GRAFANA_RESOURCE_ID}" - - build_push_frontend: - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: Build frontend container image - run: | - cd frontend/ - make image - - - name: 'Az CLI login' - if: github.event.pull_request.merged == true - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Push frontend container image - if: github.event.pull_request.merged == true - run: | - cd frontend/ - az acr login --name ${ARO_HCP_IMAGE_ACR} - make push - - build_push_backend: - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: Build backend container image - run: | - cd backend/ - make image - - - name: 'Az CLI login' - if: github.event.pull_request.merged == true - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Push backend container image - if: github.event.pull_request.merged == true - run: | - cd backend/ - az acr login --name ${ARO_HCP_IMAGE_ACR} - make push - - build_push_ocmirror: - permissions: - id-token: 'write' - contents: 'read' - needs: - - deploy_global_rg - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: Build oc-mirror container image - run: | - cd image-sync/oc-mirror - make image - - - name: 'Az CLI login' - if: github.event.pull_request.merged == true - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Push oc-mirror container image - if: github.event.pull_request.merged == true - run: | - cd image-sync/oc-mirror - az acr login --name ${ARO_HCP_IMAGE_ACR} - make push - - build_push_imagesync: - permissions: - id-token: 'write' - contents: 'read' - needs: - - deploy_global_rg - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: Build image-sync container image - run: | - cd tooling/image-sync - make image - - - name: 'Az CLI login' - if: github.event.pull_request.merged == true - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: Push image-sync container image - if: github.event.pull_request.merged == true - run: | - cd tooling/image-sync - az acr login --name ${ARO_HCP_IMAGE_ACR} - make push - - deploy_to_service_cluster: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - needs: - - build_push_frontend - - build_push_backend - - build_push_imagesync - - build_push_ocmirror - - deploy_service_cluster_rg - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - outputs: - service_cluster_name: ${{ steps.find_service_cluster.name }} - env: - RESOURCEGROUP: aro-hcp-dev-westus3-sc - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Find service cluster' - id: find_service_cluster - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - echo "name=$(az aks list --resource-group "${SC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'svc-cluster'].name | [0]")" >> $GITHUB_OUTPUT - - - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 - - # Used to deploy Cluster Service - - name: 'Install oc' - run: | - curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - - sudo mv oc /usr/local/bin/oc - chmod +x /usr/local/bin/oc - - # Used to deploy Maestro Server, Frontend - - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: 'v3.13.3' - - - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 - with: - kubelogin-version: 'v0.1.3' - - - name: 'Setup kubectl for service cluster' - uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 - with: - resource-group: ${{env.SC_RESOURCEGROUP}} - cluster-name: ${{ steps.find_service_cluster.outputs.name }} - use-kubelogin: 'true' - - - name: 'Deploy Istio Configuration' - run: | - cd istio - make deploy-service - - - name: 'Deploy Frontend' - run: | - cd frontend/ - make deploy - - - name: 'Deploy Backend' - run: | - cd backend/ - make deploy - - - name: 'Deploy Cluster Service' - run: | - cd cluster-service/ - make deploy - - - name: 'Deploy Maestro Server' - run: | - cd maestro/ - make deploy-server - - - name: 'Register Maestro Agent' - env: - CONSUMER_NAME: ${{ env.MC_RESOURCEGROUP }} - run: | - cd maestro/ - make register-agent - - - name: 'Deploy Image Sync' - run: | - cd image-sync/deployment - make deploy - - name: 'Deploy Prometheus Config' - run: | - cd metrics/ - make deploy-config - - deploy_to_management_cluster: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - needs: - - deploy_management_cluster_rg - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - outputs: - management_cluster_name: ${{ steps.find_management_cluster.name }} - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Find management cluster' - id: find_management_cluster - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - echo "name=$(az aks list --resource-group "${MC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'mgmt-cluster'].name | [0]")" >> $GITHUB_OUTPUT - - - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 - - - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 - with: - kubelogin-version: 'v0.1.3' - - - name: 'Install oc' - run: | - curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - - sudo mv oc /usr/local/bin/oc - chmod +x /usr/local/bin/oc - - # Used to deploy Maestro Agent - - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: 'v3.13.3' - - - name: 'Setup kubectl for management cluster' - uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 - with: - resource-group: ${{env.MC_RESOURCEGROUP}} - cluster-name: ${{ steps.find_management_cluster.outputs.name }} - use-kubelogin: 'true' - - - name: 'Deploy PKO' - run: | - cd pko/ - make deploy - - - name: 'Deploy ACM' - run: | - cd acm/ - make deploy - - - name: 'Deploy Maestro Agent' - env: - RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} - run: | - cd maestro/ - make deploy-agent - - - name: 'Deploy Hypershift Operator and External DNS Operator' - env: - RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} - run: | - cd hypershiftoperator/ - make deploy + make mgmt mgmt.aks.admin-access mgmt.enable-aks-metrics + + # build_push_frontend: + # permissions: + # id-token: 'write' + # contents: 'read' + # runs-on: 'ubuntu-latest' + # steps: + # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + # with: + # fetch-depth: 1 + + # - name: Build frontend container image + # run: | + # cd frontend/ + # make image + + # - name: 'Az CLI login' + # if: github.event.pull_request.merged == true + # uses: azure/login@v2 + # with: + # client-id: ${{ secrets.AZURE_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # - name: Push frontend container image + # if: github.event.pull_request.merged == true + # run: | + # cd frontend/ + # az acr login --name ${ARO_HCP_IMAGE_ACR} + # make push + + # build_push_backend: + # permissions: + # id-token: 'write' + # contents: 'read' + # runs-on: 'ubuntu-latest' + # steps: + # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + # with: + # fetch-depth: 1 + + # - name: Build backend container image + # run: | + # cd backend/ + # make image + + # - name: 'Az CLI login' + # if: github.event.pull_request.merged == true + # uses: azure/login@v2 + # with: + # client-id: ${{ secrets.AZURE_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # - name: Push backend container image + # if: github.event.pull_request.merged == true + # run: | + # cd backend/ + # az acr login --name ${ARO_HCP_IMAGE_ACR} + # make push + + # build_push_ocmirror: + # permissions: + # id-token: 'write' + # contents: 'read' + # needs: + # - deploy_global_rg + # runs-on: 'ubuntu-latest' + # steps: + # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + # with: + # fetch-depth: 1 + + # - name: Build oc-mirror container image + # run: | + # cd image-sync/oc-mirror + # make image + + # - name: 'Az CLI login' + # if: github.event.pull_request.merged == true + # uses: azure/login@v2 + # with: + # client-id: ${{ secrets.AZURE_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # - name: Push oc-mirror container image + # if: github.event.pull_request.merged == true + # run: | + # cd image-sync/oc-mirror + # az acr login --name ${ARO_HCP_IMAGE_ACR} + # make push + + # build_push_imagesync: + # permissions: + # id-token: 'write' + # contents: 'read' + # needs: + # - deploy_global_rg + # runs-on: 'ubuntu-latest' + # steps: + # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + # with: + # fetch-depth: 1 + + # - name: Build image-sync container image + # run: | + # cd tooling/image-sync + # make image + + # - name: 'Az CLI login' + # if: github.event.pull_request.merged == true + # uses: azure/login@v2 + # with: + # client-id: ${{ secrets.AZURE_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # - name: Push image-sync container image + # if: github.event.pull_request.merged == true + # run: | + # cd tooling/image-sync + # az acr login --name ${ARO_HCP_IMAGE_ACR} + # make push + + # deploy_to_service_cluster: + # if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + # needs: + # - build_push_frontend + # - build_push_backend + # - build_push_imagesync + # - build_push_ocmirror + # - deploy_service_cluster_rg + # permissions: + # id-token: 'write' + # contents: 'read' + # runs-on: 'ubuntu-latest' + # outputs: + # service_cluster_name: ${{ steps.find_service_cluster.name }} + # env: + # RESOURCEGROUP: aro-hcp-dev-westus3-sc + # steps: + # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + # with: + # fetch-depth: 1 + + # - name: 'Az CLI login' + # uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 + # with: + # client-id: ${{ secrets.AZURE_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # - name: 'Find service cluster' + # id: find_service_cluster + # uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 + # with: + # azcliversion: 2.63.0 + # inlineScript: | + # echo "name=$(az aks list --resource-group "${SC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'svc-cluster'].name | [0]")" >> $GITHUB_OUTPUT + + # - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + + # # Used to deploy Cluster Service + # - name: 'Install oc' + # run: | + # curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - + # sudo mv oc /usr/local/bin/oc + # chmod +x /usr/local/bin/oc + + # # Used to deploy Maestro Server, Frontend + # - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + # with: + # version: 'v3.13.3' + + # - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 + # with: + # kubelogin-version: 'v0.1.3' + + # - name: 'Setup kubectl for service cluster' + # uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 + # with: + # resource-group: ${{env.SC_RESOURCEGROUP}} + # cluster-name: ${{ steps.find_service_cluster.outputs.name }} + # use-kubelogin: 'true' + + # - name: 'Deploy Istio Configuration' + # run: | + # cd istio + # make deploy-service + + # - name: 'Deploy Frontend' + # run: | + # cd frontend/ + # make deploy + + # - name: 'Deploy Backend' + # run: | + # cd backend/ + # make deploy + + # - name: 'Deploy Cluster Service' + # run: | + # cd cluster-service/ + # make deploy + + # - name: 'Deploy Maestro Server' + # run: | + # cd maestro/ + # make deploy-server + + # - name: 'Register Maestro Agent' + # env: + # CONSUMER_NAME: ${{ env.MC_RESOURCEGROUP }} + # run: | + # cd maestro/ + # make register-agent + + # - name: 'Deploy Image Sync' + # run: | + # cd image-sync/deployment + # make deploy + # - name: 'Deploy Prometheus Config' + # run: | + # cd metrics/ + # make deploy-config + + # deploy_to_management_cluster: + # if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' + # needs: + # - deploy_management_cluster_rg + # permissions: + # id-token: 'write' + # contents: 'read' + # runs-on: 'ubuntu-latest' + # outputs: + # management_cluster_name: ${{ steps.find_management_cluster.name }} + # steps: + # - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + # with: + # fetch-depth: 1 + + # - name: 'Az CLI login' + # uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 + # with: + # client-id: ${{ secrets.AZURE_CLIENT_ID }} + # tenant-id: ${{ secrets.AZURE_TENANT_ID }} + # subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # - name: 'Find management cluster' + # id: find_management_cluster + # uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 + # with: + # azcliversion: 2.63.0 + # inlineScript: | + # echo "name=$(az aks list --resource-group "${MC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'mgmt-cluster'].name | [0]")" >> $GITHUB_OUTPUT + + # - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + + # - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 + # with: + # kubelogin-version: 'v0.1.3' + + # - name: 'Install oc' + # run: | + # curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - + # sudo mv oc /usr/local/bin/oc + # chmod +x /usr/local/bin/oc + + # # Used to deploy Maestro Agent + # - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + # with: + # version: 'v3.13.3' + + # - name: 'Setup kubectl for management cluster' + # uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 + # with: + # resource-group: ${{env.MC_RESOURCEGROUP}} + # cluster-name: ${{ steps.find_management_cluster.outputs.name }} + # use-kubelogin: 'true' + + # - name: 'Deploy PKO' + # run: | + # cd pko/ + # make deploy + + # - name: 'Deploy ACM' + # run: | + # cd acm/ + # make deploy + + # - name: 'Deploy Maestro Agent' + # env: + # RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} + # run: | + # cd maestro/ + # make deploy-agent + + # - name: 'Deploy Hypershift Operator and External DNS Operator' + # env: + # RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} + # run: | + # cd hypershiftoperator/ + # make deploy diff --git a/.github/workflows/cs-integration-env-cd.yml b/.github/workflows/cs-integration-env-cd.yml index 6b27627c1..b328cbd0a 100644 --- a/.github/workflows/cs-integration-env-cd.yml +++ b/.github/workflows/cs-integration-env-cd.yml @@ -1,388 +1,388 @@ ---- - name: CS Integration Environment Continuous Deployment - env: - REGION: westus3 - REGIONAL_RESOURCEGROUP: cs-integ-westus3 - SC_RESOURCEGROUP: cs-integ-westus3-sc - MC_RESOURCEGROUP: cs-integ-westus3-mc-1 - GLOBAL_RESOURCEGROUP: global - ARO_HCP_IMAGE_ACR: arohcpdev - on: - workflow_dispatch: - pull_request: - branches: - - main - paths: - - '.github/workflows/cs-integration-env-cd.yml' - - 'dev-infrastructure/**/*.bicep' - - 'dev-infrastructure/**/*.bicepparam' - - 'dev-infrastructure/configurations/*' - - 'frontend/**' - - 'backend/**' - - 'cluster-service/**' - - 'internal/**' - - 'maestro/**' - - 'pko/**' - - 'acm/**' - - 'hypershiftoperator/**' - - 'image-sync/**/' - types: - - opened - - synchronize - - reopened - - closed - - concurrency: - group: ${{ github.workflow }} - cancel-in-progress: false - - jobs: - is_running_on_fork: - if: github.event_name != 'workflow_dispatch' - runs-on: ubuntu-latest - steps: - - name: Fail if PR submitted from fork - if: ${{ github.event.pull_request.head.repo.full_name != 'Azure/ARO-HCP' }} - run: core.setFailed('Expected source repository to be Azure/ARO-HCP, re-create PR as a branch of Azure/ARO-HCP') - - deploy_region_rg: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Deploy' - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - cd dev-infrastructure/ - - az group create -g "${REGIONAL_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - # region infra - az deployment group create \ - --name "region-${GITHUB_RUN_ID}" \ - --resource-group "${REGIONAL_RESOURCEGROUP}" \ - --template-file templates/region.bicep \ - --parameters configurations/cs-integ-region.bicepparam \ - --parameters currentUserId="${GITHUB_ACTOR}" - - # metrics infrastructure - az deployment group create \ - --name "metrics-infra-${GITHUB_RUN_ID}" \ - --resource-group "${REGIONAL_RESOURCEGROUP}" \ - --template-file modules/metrics/metrics.bicep \ - --parameters configurations/cs-integ-metrics.bicepparam \ - --parameters globalResourceGroup="${REGIONAL_RESOURCEGROUP}" - - deploy_service_cluster_rg: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - needs: - - deploy_region_rg - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Deploy' - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - cd dev-infrastructure/ - - az group create -g "${SC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - # service cluster - az deployment group create \ - --name "svc-cluster-${GITHUB_RUN_ID}" \ - --resource-group "${SC_RESOURCEGROUP}" \ - --template-file templates/svc-cluster.bicep \ - --parameters configurations/cs-integ-svc-cluster.bicepparam \ - --parameters currentUserId="${GITHUB_ACTOR}" \ - --parameters regionalResourceGroup="${REGIONAL_RESOURCEGROUP}" - - SVC_CLUSTER_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.aksClusterName.value) - COSMOS_DB_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.cosmosDBName.value) - SVC_KV_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.svcKeyVaultName.value) - - # service cluster role assignments - az deployment group create \ - --name "svc-roleassigns-${GITHUB_RUN_ID}" \ - --resource-group "${SC_RESOURCEGROUP}" \ - --template-file templates/dev-aks-roleassignments.bicep \ - --parameters aksClusterName=${SVC_CLUSTER_NAME} \ - --parameters cosmosDBName=${COSMOS_DB_NAME} \ - --parameters grantCosmosAccess=true \ - --parameters sharedKvNames="['${SVC_KV_NAME}']" \ - --parameters sharedKvResourceGroup="${GLOBAL_RESOURCEGROUP}" \ - --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} - - # CS Integration MSI - az deployment group create \ - --name "cs-integ-msi-${GITHUB_RUN_ID}" \ - --resource-group "${SC_RESOURCEGROUP}" \ - --template-file templates/cs-integration-msi.bicep \ - --parameters configurations/cs-integ-msi.bicepparam - - # enable aks metrics - AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) - GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) - - az aks update \ - --name "${SVC_CLUSTER_NAME}" \ - --enable-azure-monitor-metrics \ - --resource-group "${SC_RESOURCEGROUP}" \ - --azure-monitor-workspace-resource-id "${AZ_MONITOR_RESOURCE_ID}" \ - --grafana-resource-id "${GRAFANA_RESOURCE_ID}" - - deploy_management_cluster_rg: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - needs: - - deploy_region_rg - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Deploy or Update' - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - cd dev-infrastructure/ - - az group create -g "${MC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true - - # management cluster - az deployment group create \ - --name "mgmt-cluster-${GITHUB_RUN_ID}" \ - --resource-group "${MC_RESOURCEGROUP}" \ - --template-file templates/mgmt-cluster.bicep \ - --parameters configurations/cs-integ-mgmt-cluster.bicepparam \ - --parameters currentUserId="${GITHUB_ACTOR}" \ - --parameters regionalResourceGroup="${REGIONAL_RESOURCEGROUP}" - - MGMT_CLUSTER_NAME=$(az deployment group show --resource-group "${MC_RESOURCEGROUP}" --name "mgmt-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.aksClusterName.value) - - # management cluster role assignments - az deployment group create \ - --name "mgmt-roleassigns-${GITHUB_RUN_ID}" \ - --resource-group "${MC_RESOURCEGROUP}" \ - --template-file templates/dev-aks-roleassignments.bicep \ - --parameters aksClusterName=${MGMT_CLUSTER_NAME} \ - --parameters grantCosmosAccess=false \ - --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} - - # enable aks metrics - AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) - GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) - - az aks update \ - --name "${MGMT_CLUSTER_NAME}" \ - --enable-azure-monitor-metrics \ - --resource-group "${MC_RESOURCEGROUP}" \ - --azure-monitor-workspace-resource-id "${AZ_MONITOR_RESOURCE_ID}" \ - --grafana-resource-id "${GRAFANA_RESOURCE_ID}" - - deploy_to_service_cluster: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - needs: - - deploy_service_cluster_rg - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - outputs: - service_cluster_name: ${{ steps.find_service_cluster.name }} - env: - RESOURCEGROUP: cs-integ-westus3-sc - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Find service cluster' - id: find_service_cluster - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - echo "name=$(az aks list --resource-group "${SC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'svc-cluster'].name | [0]")" >> $GITHUB_OUTPUT - - - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 - - # Used to deploy Cluster Service - - name: 'Install oc' - run: | - curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - - sudo mv oc /usr/local/bin/oc - chmod +x /usr/local/bin/oc - - # Used to deploy Maestro Server - - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - with: - version: 'v3.13.3' - - - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 - with: - kubelogin-version: 'v0.1.3' - - - name: 'Setup kubectl for service cluster' - uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 - with: - resource-group: ${{env.SC_RESOURCEGROUP}} - cluster-name: ${{ steps.find_service_cluster.outputs.name }} - use-kubelogin: 'true' - - - name: 'Deploy Istio Configuration' - run: | - cd istio - make deploy-service - - - name: 'Deploy Frontend' - run: | - cd frontend/ - make deploy - - - name: 'Deploy Backend' - run: | - cd backend/ - make deploy - - - name: 'Deploy Maestro Server' - run: | - cd maestro/ - RESTRICT_ISTIO_INGRESS=false make deploy-server - - - name: 'Register Maestro Agent' - env: - CONSUMER_NAME: ${{ env.MC_RESOURCEGROUP }} - run: | - cd maestro/ - make register-agent - - - name: 'Deploy Cluster Service Namespace Management' - run: | - cd cluster-service/ - make deploy-integ - - deploy_to_management_cluster: - if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' - needs: - - deploy_management_cluster_rg - permissions: - id-token: 'write' - contents: 'read' - runs-on: 'ubuntu-latest' - outputs: - management_cluster_name: ${{ steps.find_management_cluster.name }} - steps: - - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - with: - fetch-depth: 1 - - - name: 'Az CLI login' - uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - - name: 'Find management cluster' - id: find_management_cluster - uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 - with: - azcliversion: 2.63.0 - inlineScript: | - echo "name=$(az aks list --resource-group "${MC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'mgmt-cluster'].name | [0]")" >> $GITHUB_OUTPUT - - - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 - - - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 - with: - kubelogin-version: 'v0.1.3' - - - name: 'Install oc' - run: | - curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - - sudo mv oc /usr/local/bin/oc - chmod +x /usr/local/bin/oc - - # Used to deploy Maestro Agent - - uses: azure/setup-helm@v4.2.0 - with: - version: 'v3.13.3' - - - name: 'Setup kubectl for management cluster' - uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 - with: - resource-group: ${{env.MC_RESOURCEGROUP}} - cluster-name: ${{ steps.find_management_cluster.outputs.name }} - use-kubelogin: 'true' - - - name: 'Deploy PKO' - run: | - cd pko/ - make deploy - - - name: 'Deploy ACM' - run: | - cd acm/ - make deploy - - - name: 'Deploy Maestro Agent' - env: - RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} - run: | - cd maestro/ - make deploy-agent - - - name: 'Deploy Hypershift Operator and External DNS Operator' - env: - RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} - run: | - cd hypershiftoperator/ - make deploy +# --- +# name: CS Integration Environment Continuous Deployment +# env: +# REGION: westus3 +# REGIONAL_RESOURCEGROUP: cs-integ-westus3 +# SC_RESOURCEGROUP: cs-integ-westus3-sc +# MC_RESOURCEGROUP: cs-integ-westus3-mc-1 +# GLOBAL_RESOURCEGROUP: global +# ARO_HCP_IMAGE_ACR: arohcpdev +# on: +# workflow_dispatch: +# pull_request: +# branches: +# - main +# paths: +# - '.github/workflows/cs-integration-env-cd.yml' +# - 'dev-infrastructure/**/*.bicep' +# - 'dev-infrastructure/**/*.bicepparam' +# - 'dev-infrastructure/configurations/*' +# - 'frontend/**' +# - 'backend/**' +# - 'cluster-service/**' +# - 'internal/**' +# - 'maestro/**' +# - 'pko/**' +# - 'acm/**' +# - 'hypershiftoperator/**' +# - 'image-sync/**/' +# types: +# - opened +# - synchronize +# - reopened +# - closed + +# concurrency: +# group: ${{ github.workflow }} +# cancel-in-progress: false + +# jobs: +# is_running_on_fork: +# if: github.event_name != 'workflow_dispatch' +# runs-on: ubuntu-latest +# steps: +# - name: Fail if PR submitted from fork +# if: ${{ github.event.pull_request.head.repo.full_name != 'Azure/ARO-HCP' }} +# run: core.setFailed('Expected source repository to be Azure/ARO-HCP, re-create PR as a branch of Azure/ARO-HCP') + +# deploy_region_rg: +# if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' +# permissions: +# id-token: 'write' +# contents: 'read' +# runs-on: 'ubuntu-latest' +# steps: +# - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 +# with: +# fetch-depth: 1 + +# - name: 'Az CLI login' +# uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 +# with: +# client-id: ${{ secrets.AZURE_CLIENT_ID }} +# tenant-id: ${{ secrets.AZURE_TENANT_ID }} +# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + +# - name: 'Deploy' +# uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 +# with: +# azcliversion: 2.63.0 +# inlineScript: | +# cd dev-infrastructure/ + +# az group create -g "${REGIONAL_RESOURCEGROUP}" -l "${REGION}" --tags persist=true + +# # region infra +# az deployment group create \ +# --name "region-${GITHUB_RUN_ID}" \ +# --resource-group "${REGIONAL_RESOURCEGROUP}" \ +# --template-file templates/region.bicep \ +# --parameters configurations/cs-integ-region.bicepparam \ +# --parameters currentUserId="${GITHUB_ACTOR}" + +# # metrics infrastructure +# az deployment group create \ +# --name "metrics-infra-${GITHUB_RUN_ID}" \ +# --resource-group "${REGIONAL_RESOURCEGROUP}" \ +# --template-file modules/metrics/metrics.bicep \ +# --parameters configurations/cs-integ-metrics.bicepparam \ +# --parameters globalResourceGroup="${REGIONAL_RESOURCEGROUP}" + +# deploy_service_cluster_rg: +# if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' +# needs: +# - deploy_region_rg +# permissions: +# id-token: 'write' +# contents: 'read' +# runs-on: 'ubuntu-latest' +# steps: +# - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 +# with: +# fetch-depth: 1 + +# - name: 'Az CLI login' +# uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 +# with: +# client-id: ${{ secrets.AZURE_CLIENT_ID }} +# tenant-id: ${{ secrets.AZURE_TENANT_ID }} +# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + +# - name: 'Deploy' +# uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 +# with: +# azcliversion: 2.63.0 +# inlineScript: | +# cd dev-infrastructure/ + +# az group create -g "${SC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true + +# # service cluster +# az deployment group create \ +# --name "svc-cluster-${GITHUB_RUN_ID}" \ +# --resource-group "${SC_RESOURCEGROUP}" \ +# --template-file templates/svc-cluster.bicep \ +# --parameters configurations/cs-integ-svc-cluster.bicepparam \ +# --parameters currentUserId="${GITHUB_ACTOR}" \ +# --parameters regionalResourceGroup="${REGIONAL_RESOURCEGROUP}" + +# SVC_CLUSTER_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.aksClusterName.value) +# COSMOS_DB_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.cosmosDBName.value) +# SVC_KV_NAME=$(az deployment group show --resource-group "${SC_RESOURCEGROUP}" --name "svc-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.svcKeyVaultName.value) + +# # service cluster role assignments +# az deployment group create \ +# --name "svc-roleassigns-${GITHUB_RUN_ID}" \ +# --resource-group "${SC_RESOURCEGROUP}" \ +# --template-file templates/dev-aks-roleassignments.bicep \ +# --parameters aksClusterName=${SVC_CLUSTER_NAME} \ +# --parameters cosmosDBName=${COSMOS_DB_NAME} \ +# --parameters grantCosmosAccess=true \ +# --parameters sharedKvNames="['${SVC_KV_NAME}']" \ +# --parameters sharedKvResourceGroup="${GLOBAL_RESOURCEGROUP}" \ +# --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} + +# # CS Integration MSI +# az deployment group create \ +# --name "cs-integ-msi-${GITHUB_RUN_ID}" \ +# --resource-group "${SC_RESOURCEGROUP}" \ +# --template-file templates/cs-integration-msi.bicep \ +# --parameters configurations/cs-integ-msi.bicepparam + +# # enable aks metrics +# AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) +# GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) + +# az aks update \ +# --name "${SVC_CLUSTER_NAME}" \ +# --enable-azure-monitor-metrics \ +# --resource-group "${SC_RESOURCEGROUP}" \ +# --azure-monitor-workspace-resource-id "${AZ_MONITOR_RESOURCE_ID}" \ +# --grafana-resource-id "${GRAFANA_RESOURCE_ID}" + +# deploy_management_cluster_rg: +# if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' +# needs: +# - deploy_region_rg +# permissions: +# id-token: 'write' +# contents: 'read' +# runs-on: 'ubuntu-latest' +# steps: +# - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 +# with: +# fetch-depth: 1 + +# - name: 'Az CLI login' +# uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 +# with: +# client-id: ${{ secrets.AZURE_CLIENT_ID }} +# tenant-id: ${{ secrets.AZURE_TENANT_ID }} +# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + +# - name: 'Deploy or Update' +# uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 +# with: +# azcliversion: 2.63.0 +# inlineScript: | +# cd dev-infrastructure/ + +# az group create -g "${MC_RESOURCEGROUP}" -l "${REGION}" --tags persist=true + +# # management cluster +# az deployment group create \ +# --name "mgmt-cluster-${GITHUB_RUN_ID}" \ +# --resource-group "${MC_RESOURCEGROUP}" \ +# --template-file templates/mgmt-cluster.bicep \ +# --parameters configurations/cs-integ-mgmt-cluster.bicepparam \ +# --parameters currentUserId="${GITHUB_ACTOR}" \ +# --parameters regionalResourceGroup="${REGIONAL_RESOURCEGROUP}" + +# MGMT_CLUSTER_NAME=$(az deployment group show --resource-group "${MC_RESOURCEGROUP}" --name "mgmt-cluster-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.aksClusterName.value) + +# # management cluster role assignments +# az deployment group create \ +# --name "mgmt-roleassigns-${GITHUB_RUN_ID}" \ +# --resource-group "${MC_RESOURCEGROUP}" \ +# --template-file templates/dev-aks-roleassignments.bicep \ +# --parameters aksClusterName=${MGMT_CLUSTER_NAME} \ +# --parameters grantCosmosAccess=false \ +# --parameters githubActionsPrincipalID=${{ secrets.GHA_PRINCIPAL_ID }} + +# # enable aks metrics +# AZ_MONITOR_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.monitorId.value) +# GRAFANA_RESOURCE_ID=$(az deployment group show --resource-group "${REGIONAL_RESOURCEGROUP}" --name "metrics-infra-${GITHUB_RUN_ID}" --output tsv --query properties.outputs.grafanaId.value) + +# az aks update \ +# --name "${MGMT_CLUSTER_NAME}" \ +# --enable-azure-monitor-metrics \ +# --resource-group "${MC_RESOURCEGROUP}" \ +# --azure-monitor-workspace-resource-id "${AZ_MONITOR_RESOURCE_ID}" \ +# --grafana-resource-id "${GRAFANA_RESOURCE_ID}" + +# deploy_to_service_cluster: +# if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' +# needs: +# - deploy_service_cluster_rg +# permissions: +# id-token: 'write' +# contents: 'read' +# runs-on: 'ubuntu-latest' +# outputs: +# service_cluster_name: ${{ steps.find_service_cluster.name }} +# env: +# RESOURCEGROUP: cs-integ-westus3-sc +# steps: +# - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 +# with: +# fetch-depth: 1 + +# - name: 'Az CLI login' +# uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 +# with: +# client-id: ${{ secrets.AZURE_CLIENT_ID }} +# tenant-id: ${{ secrets.AZURE_TENANT_ID }} +# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + +# - name: 'Find service cluster' +# id: find_service_cluster +# uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 +# with: +# azcliversion: 2.63.0 +# inlineScript: | +# echo "name=$(az aks list --resource-group "${SC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'svc-cluster'].name | [0]")" >> $GITHUB_OUTPUT + +# - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + +# # Used to deploy Cluster Service +# - name: 'Install oc' +# run: | +# curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - +# sudo mv oc /usr/local/bin/oc +# chmod +x /usr/local/bin/oc + +# # Used to deploy Maestro Server +# - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 +# with: +# version: 'v3.13.3' + +# - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 +# with: +# kubelogin-version: 'v0.1.3' + +# - name: 'Setup kubectl for service cluster' +# uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 +# with: +# resource-group: ${{env.SC_RESOURCEGROUP}} +# cluster-name: ${{ steps.find_service_cluster.outputs.name }} +# use-kubelogin: 'true' + +# - name: 'Deploy Istio Configuration' +# run: | +# cd istio +# make deploy-service + +# - name: 'Deploy Frontend' +# run: | +# cd frontend/ +# make deploy + +# - name: 'Deploy Backend' +# run: | +# cd backend/ +# make deploy + +# - name: 'Deploy Maestro Server' +# run: | +# cd maestro/ +# RESTRICT_ISTIO_INGRESS=false make deploy-server + +# - name: 'Register Maestro Agent' +# env: +# CONSUMER_NAME: ${{ env.MC_RESOURCEGROUP }} +# run: | +# cd maestro/ +# make register-agent + +# - name: 'Deploy Cluster Service Namespace Management' +# run: | +# cd cluster-service/ +# make deploy-integ + +# deploy_to_management_cluster: +# if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' +# needs: +# - deploy_management_cluster_rg +# permissions: +# id-token: 'write' +# contents: 'read' +# runs-on: 'ubuntu-latest' +# outputs: +# management_cluster_name: ${{ steps.find_management_cluster.name }} +# steps: +# - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 +# with: +# fetch-depth: 1 + +# - name: 'Az CLI login' +# uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1 +# with: +# client-id: ${{ secrets.AZURE_CLIENT_ID }} +# tenant-id: ${{ secrets.AZURE_TENANT_ID }} +# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + +# - name: 'Find management cluster' +# id: find_management_cluster +# uses: azure/cli@089eac9d8cc39f5d003e94f8b65efc51076c9cbd # v2.1.0 +# with: +# azcliversion: 2.63.0 +# inlineScript: | +# echo "name=$(az aks list --resource-group "${MC_RESOURCEGROUP}" --output tsv --query "[?tags.clusterType == 'mgmt-cluster'].name | [0]")" >> $GITHUB_OUTPUT + +# - uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0 + +# - uses: azure/use-kubelogin@76597ae0fcbaace21b05e13a2cbf8daee2c6e820 # v1.2 +# with: +# kubelogin-version: 'v0.1.3' + +# - name: 'Install oc' +# run: | +# curl -sfLo - https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.15.9/openshift-client-linux.tar.gz | tar xzf - +# sudo mv oc /usr/local/bin/oc +# chmod +x /usr/local/bin/oc + +# # Used to deploy Maestro Agent +# - uses: azure/setup-helm@v4.2.0 +# with: +# version: 'v3.13.3' + +# - name: 'Setup kubectl for management cluster' +# uses: azure/aks-set-context@1cf43fa609aaef0617c6a12deda238b920e926b0 # v4.0.1 +# with: +# resource-group: ${{env.MC_RESOURCEGROUP}} +# cluster-name: ${{ steps.find_management_cluster.outputs.name }} +# use-kubelogin: 'true' + +# - name: 'Deploy PKO' +# run: | +# cd pko/ +# make deploy + +# - name: 'Deploy ACM' +# run: | +# cd acm/ +# make deploy + +# - name: 'Deploy Maestro Agent' +# env: +# RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} +# run: | +# cd maestro/ +# make deploy-agent + +# - name: 'Deploy Hypershift Operator and External DNS Operator' +# env: +# RESOURCEGROUP: ${{ env.MC_RESOURCEGROUP }} +# run: | +# cd hypershiftoperator/ +# make deploy diff --git a/Makefile b/Makefile index 92d2d86d9..c62cde924 100644 --- a/Makefile +++ b/Makefile @@ -29,6 +29,9 @@ fmt: $(GOIMPORTS) # Infra # +infra.region: + cd dev-infrastructure && DEPLOY_ENV=$(DEPLOY_ENV) make region + infra.svc: cd dev-infrastructure && DEPLOY_ENV=$(DEPLOY_ENV) make svc.init diff --git a/config/config.yaml b/config/config.yaml index 6b94a933c..50660fe19 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -101,7 +101,7 @@ clouds: clusterServiceImageTag: cf23767 clusterServiceImageRepo: app-sre/uhc-clusters-service # Shared SVC KV - serviceKeyVaultName: 'aro-hcp-dev-svc-kv' + serviceKeyVaultName: 'aro-hcp-dev-global-kv' serviceKeyVaultRG: 'global' serviceKeyVaultRegion: 'westus3' serviceKeyVaultPrivate: false diff --git a/dev-infrastructure/.gitignore b/dev-infrastructure/.gitignore index 36806b6a7..b7a88e351 100644 --- a/dev-infrastructure/.gitignore +++ b/dev-infrastructure/.gitignore @@ -6,4 +6,5 @@ configurations/acr-svc.bicepparam configurations/acr-ocp.bicepparam configurations/acr.bicepparam configurations/image-sync.bicepparam +configurations/dev-role-assignments.bicepparam config.mk diff --git a/dev-infrastructure/Makefile b/dev-infrastructure/Makefile index 28e78cffd..126f1358c 100644 --- a/dev-infrastructure/Makefile +++ b/dev-infrastructure/Makefile @@ -188,7 +188,7 @@ svc.wait: @./ensure-no-running-deployment.sh $(SVC_RESOURCEGROUP) $(SVC_RG_DEPLOYMENT_NAME) .PHONY: svc.wait -svc: svc.wait svc.rg cleanup-orphaned-rolebindings region +svc: svc.wait svc.rg cleanup-orphaned-rolebindings az deployment group create \ --name "svc" \ --resource-group $(SVC_RESOURCEGROUP) \ @@ -223,7 +223,7 @@ svc.aks.kubeconfigfile: @echo ${SVC_KUBECONFIG_FILE} .PHONY: svc.aks.kubeconfigfile -svc.init: svc svc.aks.admin-access svc.aks.kubeconfig svc.enable-aks-metrics +svc.init: region svc svc.aks.admin-access svc.aks.kubeconfig svc.enable-aks-metrics .PHONY: svc.init svc.what-if: svc.rg @@ -235,6 +235,15 @@ svc.what-if: svc.rg configurations/svc-cluster.bicepparam .PHONY: svc.what-if +svc.dev-role-assignments: + @./ensure-no-running-deployment.sh $(SC_RESOURCEGROUP) svc-roleassigns + az deployment group create \ + --name svc-roleassigns \ + --resource-group "${SC_RESOURCEGROUP}" \ + --template-file templates/dev-roleassignments.bicep \ + --parameters configurations/dev-role-assignments.bicepparam + --parameters principalID=${PRINCIPAL_ID} + svc.clean: @if [ "$$(az group exists --name $(SVC_RESOURCEGROUP))" = "true" ]; then \ az group delete -g $(SVC_RESOURCEGROUP); \ @@ -258,7 +267,7 @@ mgmt.wait: @./ensure-no-running-deployment.sh $(MGMT_RESOURCEGROUP) $(MGMG_RG_DEPLOYMENT_NAME) .PHONY: mgmt.wait -mgmt: mgmt.wait mgmt.rg cleanup-orphaned-rolebindings region +mgmt: mgmt.wait mgmt.rg cleanup-orphaned-rolebindings az deployment group create \ --name $(MGMG_RG_DEPLOYMENT_NAME) \ --resource-group $(MGMT_RESOURCEGROUP) \ @@ -293,7 +302,7 @@ mgmt.aks.kubeconfigfile: @echo ${MGMT_KUBECONFIG_FILE} .PHONY: mgmt.aks.kubeconfigfile -mgmt.init: mgmt mgmt.aks.admin-access mgmt.aks.kubeconfig mgmt.enable-aks-metrics +mgmt.init: region mgmt mgmt.aks.admin-access mgmt.aks.kubeconfig mgmt.enable-aks-metrics .PHONY: mgmt.init mgmt.what-if: mgmt.rg diff --git a/dev-infrastructure/configurations/dev-role-assignments.tmpl.bicepparam b/dev-infrastructure/configurations/dev-role-assignments.tmpl.bicepparam new file mode 100644 index 000000000..6003767fe --- /dev/null +++ b/dev-infrastructure/configurations/dev-role-assignments.tmpl.bicepparam @@ -0,0 +1,8 @@ +using '../templates/dev-roleassignments.bicep' + +param aksClusterName = '{{ .aksName }}' +param grantCosmosAccess = true +param cosmosDBName = '{{ .frontendCosmosDBName }}' +param sharedKvNames = ['{{ .serviceKeyVaultName }}'] +param sharedKvResourceGroup = '{{ .serviceKeyVaultRG }}' +param principalID = '' diff --git a/dev-infrastructure/templates/dev-aks-roleassignments.bicep b/dev-infrastructure/templates/dev-roleassignments.bicep similarity index 87% rename from dev-infrastructure/templates/dev-aks-roleassignments.bicep rename to dev-infrastructure/templates/dev-roleassignments.bicep index 7001ee5da..d4b57a78e 100644 --- a/dev-infrastructure/templates/dev-aks-roleassignments.bicep +++ b/dev-infrastructure/templates/dev-roleassignments.bicep @@ -6,7 +6,7 @@ param cosmosDBName string = 'replaceme' param sharedKvNames array = [] param sharedKvResourceGroup string = 'global' param location string = resourceGroup().location -param githubActionsPrincipalID string +param principalID string // https://learn.microsoft.com/en-us/azure/aks/manage-azure-rbac#create-role-assignments-for-users-to-access-the-cluster // Azure Kubernetes Service RBAC Cluster Admin @@ -18,7 +18,7 @@ var aksClusterRbacClusterAdminRoleId = subscriptionResourceId( // Grants Github Actions access to Cosmos data param cosmosRoleDefinitionId string = '00000000-0000-0000-0000-000000000002' -var cosmosRoleAssignmentId = guid(cosmosRoleDefinitionId, githubActionsPrincipalID, cosmosDbAccount.id) +var cosmosRoleAssignmentId = guid(cosmosRoleDefinitionId, principalID, cosmosDbAccount.id) // C O S M O S @@ -33,10 +33,10 @@ resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' exis // az aks command invoke --resource-group hcp-standalone-mshen --name aro-hcp-cluster-001 --command "kubectl get ns" resource currentUserAksClusterAdmin 'Microsoft.Authorization/roleAssignments@2022-04-01' = { scope: aksCluster - name: guid(location, aksClusterName, aksClusterRbacClusterAdminRoleId, githubActionsPrincipalID) + name: guid(location, aksClusterName, aksClusterRbacClusterAdminRoleId, principalID) properties: { roleDefinitionId: aksClusterRbacClusterAdminRoleId - principalId: githubActionsPrincipalID + principalId: principalID } } @@ -45,7 +45,7 @@ resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignm parent: cosmosDbAccount properties: { roleDefinitionId: '/${subscription().id}/resourceGroups/${resourceGroup().name}/providers/Microsoft.DocumentDB/databaseAccounts/${cosmosDbAccount.name}/sqlRoleDefinitions/${cosmosRoleDefinitionId}' - principalId: githubActionsPrincipalID + principalId: principalID scope: cosmosDbAccount.id } } @@ -59,7 +59,7 @@ module keyVaultAccess '../modules/keyvault/keyvault-secret-access.bicep' = [ params: { keyVaultName: name roleName: 'Key Vault Secrets User' - managedIdentityPrincipalId: githubActionsPrincipalID + managedIdentityPrincipalId: principalID } } ]