Hive upgrade artifact cache #4469
Open
+116
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shubhadapaithankar
requested review from
bennerv,
cadenmarchese,
fahlmant,
hawkowl,
hlipsig,
jharrington22,
kimorris27,
mociarain,
mrWinston,
pepedocs,
rogbas,
sankur-codes,
tiguelu,
tsatam,
wanghaoran1988 and
yjst2012
as code owners
shubhadapaithankar
force-pushed
the
hive-upgrade-artifact-cache
branch
from
019c3ea to
05572f6
Compare
|
Please rebase pull request. |
shubhadapaithankar
force-pushed
the
hive-upgrade-artifact-cache
branch
from
05572f6 to
8f1dd80
Compare
- Create ARM template for arolocaldevsvc ACR in dev environment - Add Bicep templates for artifact cache credentials and rules - Add ARM template for AKS to ACR pull role assignment - Update Hive script to use artifact cache ACR with production version f84d11f6765b20de5a6c66998f2114b6855e94e0 - Support configurable registry via HIVE_ACR_REGISTRY environment variable This enables Hive upgrades in v4-eastus, v4-westeurope, and v4-australiaeast using Azure artifact cache to pull from the new Hive repository at quay.io/redhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive Related: ARO-20992
shubhadapaithankar
force-pushed
the
hive-upgrade-artifact-cache
branch
from
8f1dd80 to
ec4ded4
Compare
kimorris27
requested changes
Nov 20, 2025
Contributor
kimorris27
left a comment
kimorris27
left a comment
There was a problem hiding this comment.
The new templates and the changes to hive-generate-config.sh look good, but we're missing a few things:
- ARM/Bicep to deploy the ACR itself. Some things to keep in mind:
- Since we have three shared development environments in different regions, using a single ACR name may result in conflicts upon deployment attempts. It may be easiest to use one ACR per region. I'm thinking the ACR would go in the
v4-$LOCATIONresource group. - We might want to consider the full service dev env as well. The full service dev env already includes its own ACR instance. I seem to recall the full service dev deployment process being broken though, so I'd say not to worry about it if it's still broken.
- Since we have three shared development environments in different regions, using a single ACR name may result in conflicts upon deployment attempts. It may be easiest to use one ACR per region. I'm thinking the ACR would go in the
- We'll want to incorporate these templates into our existing deployment procedures and documentation as needed. Here's where the other functions used to deploy templates for the full service dev env live: https://github.com/Azure/ARO-RP/blob/master/hack/devtools/deploy-shared-env.sh
shubhadapaithankar
force-pushed
the
hive-upgrade-artifact-cache
branch
from
cf888f9 to
b9f7725
Compare
- Add deploy_hive_acr_dev() to create per-region ACR (arodevhive{location})
- Add deploy_hive_artifact_cache_credentials() for credential set
- Add deploy_hive_artifact_cache_rules() for cache rules
- Add deploy_hive_aks_acr_pull_role() for AKS pull access
- Update default ACR registry to arodevhiveeastus.azurecr.io
Addresses PR feedback to integrate templates into existing deployment procedures
shubhadapaithankar
force-pushed
the
hive-upgrade-artifact-cache
branch
from
b9f7725 to
0cf10bb
Compare
kimorris27
requested changes
Nov 20, 2025
Contributor
kimorris27
left a comment
kimorris27
left a comment
There was a problem hiding this comment.
Thanks for the changes so far. I left a few more suggestions, and we're still missing updates to the shared dev env deployment docs: https://github.com/Azure/ARO-RP/blob/master/docs/prepare-a-shared-rp-development-environment.md
- Create hive-acr-cache-and-access.bicep combining credential set, cache rules, and role assignment - Reduce from 4 functions to 2: deploy_hive_acr_dev() and deploy_hive_acr_cache_and_access() - Dependencies now captured in template rather than requiring manual ordering - Remove separate aks-acr-pull-role.json, artifact-cache-credential-set.bicep, artifact-cache-rules.bicep Addresses PR feedback from kimorris27
- Add HIVE_ACR_NAME env var with default arolocaldev${LOCATION}
- Avoids redefining ACR name in multiple functions
Addresses feedback from kimorris27
Reference team wiki instead of specific engineers for credentials Addresses feedback from kimorris27
kimorris27
requested changes
Nov 20, 2025
Contributor
kimorris27
left a comment
kimorris27
left a comment
There was a problem hiding this comment.
The code changes look good! It's just missing the documentation update now.
It'd also be good to see it deployed and working in at least one of the three regional shared dev environments before merge.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
Related: ARO-22319
Supports: ARO-22319
What this PR does / why we need it:
Adds ARM/Bicep templates for ACR artifact cache to enable Hive upgrades in shared dev environments (v4-eastus, v4-westeurope, v4-australiaeast) and E2E. Hive team moved to new Quay repository requiring artifact cache instead of mirroring pipeline. Updates Hive script to pull from artifact cache ACR (
arolocaldevsvcfor dev,arosvcdevfor E2E) and bumps to production versionf84d11f6765b20de5a6c66998f2114b6855e94e0.Test plan for issue:
Manual deployment:
arolocaldevsvcACR with artifact cache templates (mirrors existingocpciarotestsetup)HIVE_ACR_REGISTRY=arolocaldevsvc.azurecr.ioredhat-services-prod/crt-redhat-acm-tenant/hive-operator/hive:f84d11f6765b20de5a6c66998f2114b6855e94e0Repeat for E2E using
arosvcdevACR.Is there any documentation that needs to be updated for this PR?
No. Infrastructure templates only.
How do you know this will function as expected in production?
Dev/E2E only. Follows production pattern (ARO-20992) and existing artifact cache setup (
ocpciarotest). Standard Azure monitoring and K8s pod status verification.