Add Hive upgrade infrastructure with artifact cache support

- Create ARM template for arolocaldevsvc ACR in dev environment
- Add Bicep templates for artifact cache credentials and rules
- Add ARM template for AKS to ACR pull role assignment
- Update Hive script to use artifact cache ACR with production version f84d11f6765b20de5a6c66998f2114b6855e94e0
- Support configurable registry via HIVE_ACR_REGISTRY environment variable

This enables Hive upgrades in v4-eastus, v4-westeurope, and v4-australiaeast
using Azure artifact cache to pull from the new Hive repository at
quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive

Related: ARO-20992

Author: shubhadapaithankar

hack/hive/hive-generate-config.sh

@@ -9,16 +9,20 @@ main() {
     trap "cleanup $tmpdir" EXIT
 
     # This is the commit sha that the image was built from and ensures we use the correct configs for the release
-    local -r default_commit="8796c4f534"
+    # Production version as of Nov 5th: f84d11f6765b20de5a6c66998f2114b6855e94e0
+    local -r default_commit="f84d11f6765b20de5a6c66998f2114b6855e94e0"
     local -r hive_image_commit_hash="${1:-$default_commit}"
     log "Using hive commit: $hive_image_commit_hash"
     # shellcheck disable=SC2034
     local -r hive_operator_namespace="hive"
 
-    # For now we'll use the quay hive image, but this will change to an ACR once the quay.io -> ACR mirroring is setup
-    # Note: semi-scientific way to get the latest image: `podman search --list-tags --limit 10000 quay.io/app-sre/hive | tail -n1`
+    # Hive images are now pulled from ACR using artifact cache rules
+    # The new Hive repository: quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive
+    # is mirrored to ACR via artifact cache rules set up on arolocaldevsvc (dev) and arosvcdev (e2e)
+    # For dev environments, use arolocaldevsvc; for E2E, use arosvcdev
     # shellcheck disable=SC2034
-    local -r hive_image="arointsvc.azurecr.io/app-sre/hive:${hive_image_commit_hash}"
+    local -r acr_registry="${HIVE_ACR_REGISTRY:-arolocaldevsvc.azurecr.io}"
+    local -r hive_image="${acr_registry}/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}"
 
 
     # shellcheck disable=SC2034

pkg/deploy/assets/aks-acr-pull-role.json

@@ -0,0 +1,52 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "aksClusterName": {
+            "type": "string",
+            "metadata": {
+                "description": "Name of the AKS cluster"
+            }
+        },
+        "acrName": {
+            "type": "string",
+            "metadata": {
+                "description": "Name of the ACR to grant pull access to"
+            }
+        },
+        "acrResourceGroup": {
+            "type": "string",
+            "defaultValue": "[resourceGroup().name]",
+            "metadata": {
+                "description": "Resource group containing the ACR"
+            }
+        }
+    },
+    "variables": {
+        "aksClusterId": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]",
+        "acrResourceId": "[resourceId(parameters('acrResourceGroup'), 'Microsoft.ContainerRegistry/registries', parameters('acrName'))]",
+        "acrPullRoleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]",
+        "roleAssignmentName": "[guid(variables('aksClusterId'), variables('acrResourceId'), variables('acrPullRoleDefinitionId'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/roleAssignments",
+            "apiVersion": "2022-04-01",
+            "name": "[variables('roleAssignmentName')]",
+            "scope": "[variables('acrResourceId')]",
+            "properties": {
+                "roleDefinitionId": "[variables('acrPullRoleDefinitionId')]",
+                "principalId": "[reference(variables('aksClusterId'), '2023-01-01', 'Full').properties.identityProfile.kubeletidentity.objectId]",
+                "principalType": "ServicePrincipal",
+                "description": "Allows AKS cluster to pull images from ACR for Hive deployment"
+            }
+        }
+    ],
+    "outputs": {
+        "roleAssignmentId": {
+            "type": "string",
+            "value": "[resourceId('Microsoft.Authorization/roleAssignments', variables('roleAssignmentName'))]"
+        }
+    }
+}
+

pkg/deploy/assets/artifact-cache-credential-set.bicep

@@ -0,0 +1,39 @@
+// Credential Set for Artifact Cache
+// Stores credentials needed to pull from the new Hive repository
+
+@description('Name of the Azure Container Registry')
+param acrName string
+
+@description('Name for the credential set')
+param credentialSetName string = 'hive-pull-credentials'
+
+@description('Username or client ID for authentication')
+@secure()
+param username string
+
+@description('Password or client secret for authentication')
+@secure()
+param password string
+
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: acrName
+}
+
+resource credentialSet 'Microsoft.ContainerRegistry/registries/credentialSets@2023-01-01-preview' = {
+  parent: acr
+  name: credentialSetName
+  properties: {
+    authCredentials: [
+      {
+        name: 'Credential1'
+        usernameSecretIdentifier: username
+        passwordSecretIdentifier: password
+      }
+    ]
+    loginServer: 'quay.io'
+  }
+}
+
+output credentialSetResourceId string = credentialSet.id
+output credentialSetName string = credentialSet.name
+

pkg/deploy/assets/artifact-cache-rules.bicep

@@ -0,0 +1,32 @@
+// Artifact Cache Rules for Hive Images
+// Based on https://msazure.visualstudio.com/AzureRedHatOpenShift/_git/sdp-pipelines?path=/classic/global/infra/Templates/artifact-cache.bicep
+
+@description('Name of the Azure Container Registry')
+param acrName string
+
+@description('Source repository for Hive images')
+param sourceRepository string = 'quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive'
+
+@description('Target repository name in ACR')
+param targetRepository string = 'redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive'
+
+@description('Credential set resource ID for pull authentication')
+param credentialSetResourceId string
+
+resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
+  name: acrName
+}
+
+resource cacheRule 'Microsoft.ContainerRegistry/registries/cacheRules@2023-01-01-preview' = {
+  parent: acr
+  name: 'hive-cache-rule'
+  properties: {
+    sourceRepository: sourceRepository
+    targetRepository: targetRepository
+    credentialSetResourceId: credentialSetResourceId
+  }
+}
+
+output cacheRuleName string = cacheRule.name
+output cacheRuleId string = cacheRule.id
+

pkg/deploy/assets/local-dev-acr.json

@@ -0,0 +1,47 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "acrLocationOverride": {
+            "type": "string",
+            "defaultValue": "eastus",
+            "metadata": {
+                "description": "Location for the ACR if different from resource group"
+            }
+        },
+        "acrName": {
+            "type": "string",
+            "defaultValue": "arolocaldevsvc",
+            "metadata": {
+                "description": "Name of the Azure Container Registry"
+            }
+        }
+    },
+    "resources": [
+        {
+            "sku": {
+                "name": "Premium"
+            },
+            "properties": {
+                "dataEndpointEnabled": true,
+                "anonymousPullEnabled": false,
+                "networkRuleBypassOptions": "AzureServices"
+            },
+            "name": "[parameters('acrName')]",
+            "type": "Microsoft.ContainerRegistry/registries",
+            "location": "[if(equals(parameters('acrLocationOverride'), ''), resourceGroup().location, parameters('acrLocationOverride'))]",
+            "apiVersion": "2023-01-01-preview"
+        }
+    ],
+    "outputs": {
+        "acrLoginServer": {
+            "type": "string",
+            "value": "[reference(resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))).loginServer]"
+        },
+        "acrResourceId": {
+            "type": "string",
+            "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName'))]"
+        }
+    }
+}
+