Add Hive ACR deployment functions to deploy-shared-env.sh

shubhadapaithankar · shubhadapaithankar · commit b9f772500414 · 2025-11-20T08:29:53.000-08:00
- Add deploy_hive_acr_dev() to create per-region ACR (arodevhive{location})
- Add deploy_hive_artifact_cache_credentials() for credential set
- Add deploy_hive_artifact_cache_rules() for cache rules
- Add deploy_hive_aks_acr_pull_role() for AKS pull access
- Update default ACR registry to arodevhiveeastus.azurecr.io

Addresses PR feedback to integrate templates into existing deployment procedures
diff --git a/hack/devtools/deploy-shared-env.sh b/hack/devtools/deploy-shared-env.sh
@@ -83,6 +83,79 @@ deploy_aks_dev() {
             "sshRSAPublicKey=$(<secrets/proxy_id_rsa.pub)" >/dev/null
 }
 
+deploy_hive_acr_dev() {
+    echo "########## Deploying Hive ACR in RG $RESOURCEGROUP ##########"
+    local acr_name="arolocaldev${LOCATION}"
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-acr \
+        --template-file pkg/deploy/assets/ci-development.json \
+        --parameters "acrName=$acr_name" >/dev/null
+    echo "########## Created ACR: $acr_name ##########"
+}
+
+deploy_hive_artifact_cache_credentials() {
+    echo "########## Deploying Hive artifact cache credentials in RG $RESOURCEGROUP ##########"
+    local acr_name="arolocaldev${LOCATION}"
+    
+    if [ -z "$HIVE_PULL_USERNAME" ] || [ -z "$HIVE_PULL_PASSWORD" ]; then
+        echo "ERROR: HIVE_PULL_USERNAME and HIVE_PULL_PASSWORD must be set"
+        echo "Contact Kipp/Adam for Hive pull secret credentials"
+        return 1
+    fi
+    
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-artifact-cache-credentials \
+        --template-file pkg/deploy/assets/artifact-cache-credential-set.bicep \
+        --parameters \
+            "acrName=$acr_name" \
+            "username=$HIVE_PULL_USERNAME" \
+            "password=$HIVE_PULL_PASSWORD" >/dev/null
+    echo "########## Credential set created for $acr_name ##########"
+}
+
+deploy_hive_artifact_cache_rules() {
+    echo "########## Deploying Hive artifact cache rules in RG $RESOURCEGROUP ##########"
+    local acr_name="arolocaldev${LOCATION}"
+    
+    local credential_set_id=$(az acr credential-set show \
+        --registry "$acr_name" \
+        --name hive-pull-credentials \
+        --query id -o tsv 2>/dev/null)
+    
+    if [ -z "$credential_set_id" ]; then
+        echo "ERROR: Credential set not found for $acr_name"
+        echo "Run deploy_hive_artifact_cache_credentials first"
+        return 1
+    fi
+    
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-artifact-cache-rules \
+        --template-file pkg/deploy/assets/artifact-cache-rules.bicep \
+        --parameters \
+            "acrName=$acr_name" \
+            "credentialSetResourceId=$credential_set_id" >/dev/null
+    echo "########## Artifact cache rules created for $acr_name ##########"
+}
+
+deploy_hive_aks_acr_pull_role() {
+    echo "########## Granting AKS cluster ACR pull access for Hive in RG $RESOURCEGROUP ##########"
+    local aks_cluster="${AKS_CLUSTER_NAME:-aro-aks-cluster-001}"
+    local acr_name="arolocaldev${LOCATION}"
+    
+    az deployment group create \
+        -g "$RESOURCEGROUP" \
+        -n hive-aks-acr-pull-role \
+        --template-file pkg/deploy/assets/aks-acr-pull-role.json \
+        --parameters \
+            "aksClusterName=$aks_cluster" \
+            "acrName=$acr_name" \
+            "acrResourceGroup=$RESOURCEGROUP" >/dev/null
+    echo "########## AKS cluster $aks_cluster granted pull access to $acr_name ##########"
+}
+
 deploy_vpn_for_dedicated_rp() {
     echo "########## Deploying Dev VPN in RG $RESOURCEGROUP ##########"
     az deployment group create \
diff --git a/hack/hive/hive-generate-config.sh b/hack/hive/hive-generate-config.sh
@@ -18,10 +18,12 @@ main() {
 
     # Hive images are now pulled from ACR using artifact cache rules
     # The new Hive repository: quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive
-    # is mirrored to ACR via artifact cache rules set up on arolocaldevsvc (dev) and arosvcdev (e2e)
-    # For dev environments, use arolocaldevsvc; for E2E, use arosvcdev
+    # is mirrored to ACR via artifact cache rules
+    # For shared dev environments: arolocaldev<location>.azurecr.io (e.g., arolocaldeveastus.azurecr.io)
+    # For E2E environment: arosvcdev.azurecr.io
+    # Override with HIVE_ACR_REGISTRY if needed
     # shellcheck disable=SC2034
-    local -r acr_registry="${HIVE_ACR_REGISTRY:-arolocaldevsvc.azurecr.io}"
+    local -r acr_registry="${HIVE_ACR_REGISTRY:-arolocaldeveastus.azurecr.io}"
     local -r hive_image="${acr_registry}/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:${hive_image_commit_hash}"
 
 
